CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
25.0%
CKEditor4 is vulnerable to Cross-site Scripting. The vulnerability is due to editor instances that have enabled full-page editing mode or enabled CDATA elements in the Advanced Content Filtering configuration (which defaults to script
and style
elements). This flaw allows an attacker to inject malformed HTML content that bypasses the Advanced Content Filtering mechanism, resulting in the execution of JavaScript code.
ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata
ckeditor.com/docs/ckeditor4/latest/features/fullpage.html
ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html
github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb
github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm
www.drupal.org/sa-contrib-2024-009