CVE-2023-28439: ckeditor4 plugins vulnerable to cross-site scripting caused by the editor instance destroying process
First published: Wed Mar 22 2023(Updated: )
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ckeditor Ckeditor | >=4.0<4.21.0 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| Fedoraproject Fedora | =39 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ckeditor.com/cke4/addon/embed
- https://ckeditor.com/cke4/addon/iframe
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWKG2VCPJNETVCDTXU4X6FQ2PO6XCNGN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCYKD3JZWWA3ESOZG4PHJJEXT4EYIUIQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4ODGOW6PYVOXHQSMWJBOCE6DXWAI33W/
Frequently Asked Questions
What is CKEditor4?
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor.
What is the vulnerability affecting CKEditor4?
The vulnerability affecting CKEditor4 is a cross-site scripting (XSS) vulnerability in the Iframe Dialog and Media Embed packages.
What can the vulnerability in CKEditor4 potentially do?
The vulnerability in CKEditor4 can allow an attacker to trigger JavaScript code under certain conditions.
How does the vulnerability in CKEditor4 occur?
The vulnerability in CKEditor4 occurs when one of the affected packages is used.
How can I fix the vulnerability in CKEditor4?
To fix the vulnerability in CKEditor4, update to a version higher than 4.21.0.
- collector/nvd-index
- agent/references
- agent/author
- agent/type
- agent/event
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/title
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/description
- collector/mitre-cve
- source/MITRE
- vendor/ckeditor
- canonical/ckeditor ckeditor
- version/ckeditor ckeditor/4.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- version/fedoraproject fedora/39