CVE-2022-31175

CKEditor 5 is a JavaScript rich text editor. A cross-site scripting
vulnerability has been discovered affecting three optional CKEditor 5’s
packages in versions prior to 35.0.1. The vulnerability allowed to trigger
a JavaScript code after fulfilling special conditions. The affected
packages are @ckeditor/ckeditor5-markdown-gfm,
@ckeditor/ckeditor5-html-support, and @ckeditor/ckeditor5-html-embed.
The specific conditions are 1) Using one of the affected packages. In case
of ckeditor5-html-support and ckeditor5-html-embed, additionally, it
was required to use a configuration that allows unsafe markup inside the
editor. 2) Destroying the editor instance and 3) Initializing the editor on
an element and using an element other than <textarea> as a base. The root
cause of the issue was a mechanism responsible for updating the source
element with the markup coming from the CKEditor 5 data pipeline after
destroying the editor. This vulnerability might affect a small percent of
integrators that depend on dynamic editor initialization/destroy and use
Markdown, General HTML Support or HTML embed features. The problem has been
recognized and patched. The fix is available in version 35.0.1. There are
no known workarounds for this issue.

Notes