CVE-2024-45613

CKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 and prior to version 43.1.1, a Cross-Site Scripting (XSS) vulnerability is present in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability only affects installations where the Block Toolbar plugin is enabled and either the General HTML Support (with a configuration that permits unsafe markup) or the HTML Embed plugin is also enabled. A fix for the problem is available in version 43.1.1. As a workaround, one may disable the block toolbar plugin.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ckeditor:ckeditor5:*:*:*:*:*:*:*:*

History

01 Oct 2024, 16:26

Type Values Removed Values Added
References () https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1 - () https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1 - Release Notes
References () https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-rgg8-g5x8-wr9v - () https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-rgg8-g5x8-wr9v - Third Party Advisory
CVSS v2 : unknown
v3 : 7.2
v2 : unknown
v3 : 6.1
CPE cpe:2.3:a:ckeditor:ckeditor5:*:*:*:*:*:*:*:*
First Time Ckeditor ckeditor5
Ckeditor

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) CKEditor 5 es un editor de texto enriquecido de JavaScript. A partir de la versión 40.0.0 y antes de la versión 43.1.1, existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el paquete de portapapeles de CKEditor 5. Esta vulnerabilidad podría ser activada por una acción específica del usuario, lo que llevaría a la ejecución no autorizada de código JavaScript, si el atacante lograra insertar un contenido malicioso en el editor, lo que podría suceder con una configuración de editor muy específica. Esta vulnerabilidad solo afecta a las instalaciones donde está habilitado el complemento Block Toolbar y también está habilitado General HTML Support (con una configuración que permite marcado no seguro) o el complemento HTML Embed. Hay una solución para el problema disponible en la versión 43.1.1. Como workaround, se puede deshabilitar el complemento Block Toolbar.

25 Sep 2024, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-25 14:15

Updated : 2024-10-01 22:15


NVD link : CVE-2024-45613

Mitre link : CVE-2024-45613

CVE.ORG link : CVE-2024-45613


JSON object : View

Products Affected

ckeditor

  • ckeditor5
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')