CVE-2023-28439

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A
cross-site scripting vulnerability has been discovered affecting Iframe
Dialog and Media Embed packages. The vulnerability may trigger a JavaScript
code after fulfilling special conditions: using one of the affected
packages on a web page with missing proper Content Security Policy
configuration; initializing the editor on an element and using an element
other than <textarea> as a base; and destroying the editor instance. This
vulnerability might affect a small percentage of integrators that depend on
dynamic editor initialization/destroy mechanism. A fix is available in
CKEditor4 version 4.21.0. In some rare cases, a security fix may be
considered a breaking change. Starting from version 4.21.0, the Iframe
Dialog plugin applies the sandbox attribute by default, which restricts
JavaScript code execution in the iframe element. To change this behavior,
configure the config.iframe_attributes option. Also starting from version
4.21.0, the Media Embed plugin regenerates the entire content of the embed
widget by default. To change this behavior, configure the
config.embed_keepOriginalContent option. Those who choose to enable
either of the more permissive options or who cannot upgrade to a patched
version should properly configure Content Security Policy to avoid any
potential security issues that may arise from embedding iframe elements on
their web page.

Notes