CVE-2024-43411Cross-site Scripting in Ckeditor4

CWE-79Cross-site Scripting7 documents6 sources
Severity
3.1LOWNVD
EPSS
0.1%
top 76.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Ckeditor Ckeditor4
Timeline
PublishedAug 21
Latest updateFeb 6

Description

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. The issue impacts only editor instances with enabled version notifications. Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you us

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:NExploitability: 0.5 | Impact: 2.5

Affected Packages2 packages

npmckeditor/ckeditor44.22.04.25.0
CVEListV5ckeditor/ckeditor4>= 4.22.0, < 4.25.0-lts

🔴Vulnerability Details

4
GHSA
CKEditor4 low-risk cross-site scripting (XSS) vulnerability linked to potential domain takeover2024-08-21
CVEList
CKEditor4 has a low risk cross-site scripting (XSS) vulnerability from domain takeover2024-08-21
OSV
CVE-2024-43411: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor2024-08-21
OSV
CKEditor4 low-risk cross-site scripting (XSS) vulnerability linked to potential domain takeover2024-08-21

📋Vendor Advisories

2
Ubuntu
CKEditor vulnerabilities2025-02-06
Debian
CVE-2024-43411: ckeditor - CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoreti...2024
CVE-2024-43411 — Cross-site Scripting in Ckeditor4 | cvebase