Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Cross-Site Scripting vulnerability in CKSource CKEditor

Posted date 16/11/2023
Identificador
INCIBE-2023-0504
Importance
3 - Medium
Affected Resources
  • CKEditor, 4.15.1 version and earlier.
Description

INCIBE has coordinated the publication of one vulnerabilitiy that affects CKEditor, an open source text editor that provides word processing functions on web pages, which has been discovered by Rafael Pedrero.

This vulnerabilitiy has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

  • CVE-2023-4771: CVSS v3.1: 6.1 | CVSS: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.
Solution

The issue was found in one of the archived samples that should never be used by integrators in production code. There is no information about potential security vulnerabilities in CKEditor 4 itself.

Detail
  • CVE-2023-4771: a Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information.
References list
Product sheet - CKSource
Etiquetas