CVE-2024-43411

2024-08-2116:15:08

CWE-79

GitHub_M

web.nvd.nist.gov

ckeditor4

vulnerability

attack

https

domain

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

AI Score

3.9

Confidence

High

EPSS

Percentile

9.5%

JSON

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. The issue impacts only editor instances with enabled version notifications. Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4 LTS, it is highly unlikely that you are affected by this vulnerability. If you are unsure, please contact us. The fix is available in version 4.25.0-lts.

Affected configurations

Vulners

Node

ckeditorckeditor4Range4.22.0–4.25.0-lts

VendorProductVersionCPE
ckeditorckeditor4*cpe:2.3:a:ckeditor:ckeditor4:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ckeditor	ckeditor4	*	cpe:2.3:a:ckeditor:ckeditor4::::::::

CNA Affected

[
  {
    "vendor": "ckeditor",
    "product": "ckeditor4",
    "versions": [
      {
        "version": ">= 4.22.0, < 4.25.0-lts",
        "status": "affected"
      }
    ]
  }
]