CVE-2024-43407

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:lts:*:*:*

History

23 Aug 2024, 16:20

Type Values Removed Values Added
References () https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94 - () https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94 - Patch
References () https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa - () https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa - Patch
References () https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv - () https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv - Vendor Advisory
Summary
  • (es) CKEditor4 es un editor HTML de código abierto de lo que ves es lo que obtienes. Se ha descubierto una vulnerabilidad potencial en el complemento GeSHi del fragmento de código de CKEditor 4. La vulnerabilidad permitió un ataque XSS reflejado al explotar una falla en la librería de resaltado de sintaxis GeSHi alojada por la víctima. La librería GeSHi se incluyó como dependencia del proveedor en los archivos fuente de CKEditor 4. En un escenario específico, un atacante podría crear un script malicioso que podría ejecutarse enviando una solicitud a la librería GeSHi alojada en un servidor web PHP. La librería GeSHi ya no se mantiene activamente. Debido a la falta de soporte y actualizaciones continuas, se han identificado posibles vulnerabilidades de seguridad con su uso continuo. Para mitigar estos riesgos y mejorar la seguridad general de CKEditor 4, hemos decidido eliminar por completo la librería GeSHi como dependencia. Este cambio tiene como objetivo mantener un entorno seguro y reducir el riesgo de incidentes de seguridad relacionados con software desactualizado o sin soporte. La solución estará disponible en la versión 4.25.0-lts.
CPE cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:lts:*:*:*
First Time Ckeditor
Ckeditor ckeditor

21 Aug 2024, 16:06

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-21 15:15

Updated : 2024-08-23 16:20


NVD link : CVE-2024-43407

Mitre link : CVE-2024-43407

CVE.ORG link : CVE-2024-43407


JSON object : View

Products Affected

ckeditor

  • ckeditor
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')