Lucene search

K

CKEditor 5 35.4.0 - Cross-Site Scripting (XSS)

🗓️ 05 Apr 2023 00:00:00Reported by Manish PathakType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 133 Views

CKEditor 5 35.4.0 XSS vulnerability via Full Featured CKEditor5 Widget, allows arbitrary script executio

Show more
Related
Code
ReporterTitlePublishedViews
Family
OSV
Cross-site scripting in CKEditor5
13 Feb 202321:31
osv
Cvelist
CVE-2022-48110
13 Feb 202300:00
cvelist
OpenVAS
CKEditor 5 <= 35.4.0 XSS Vulnerability
14 Feb 202300:00
openvas
0day.today
CKSource CKEditor5 35.4.0 Cross Site Scripting Vulnerability
13 Feb 202300:00
zdt
0day.today
CKEditor 5 35.4.0 - Cross-Site Scripting Vulnerability
5 Apr 202300:00
zdt
NVD
CVE-2022-48110
13 Feb 202320:15
nvd
CVE
CVE-2022-48110
13 Feb 202320:15
cve
UbuntuCve
CVE-2022-48110
13 Feb 202300:00
ubuntucve
Github Security Blog
Cross-site scripting in CKEditor5
13 Feb 202321:31
github
Prion
Cross site scripting
13 Feb 202320:15
prion
Rows per page
# Exploit Title: CKEditor 5 35.4.0 - Cross-Site Scripting (XSS)
# Google Dork: N/A
# Date: February 09, 2023
# Exploit Author: Manish Pathak
# Vendor Homepage: https://cksource.com/
# Software Link: https://ckeditor.com/ckeditor-5/download/
# Version: 35.4.0
# Tested on: Linux / Web
# CVE : CVE-2022-48110



CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via Full Featured CKEditor5 Widget as the editor fails to sanitize user provided data.

An attacker can execute arbitrary script in the browser in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

CKEditor5 version 35.4.0 is tested & found to be vulnerable.

Documentation avaiable at https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html#security

Security Docs Says """The HTML embed feature does not currently execute code in <script> tags. However, it will execute code in the on* and src="javascript:..." attributes."""



Payload:

<div class="raw-html-embed">
    <script>alert(456)</script>
</div>

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
05 Apr 2023 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS36.1
EPSS0.001
133
.json
Report