Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-28439

Опубликовано: 22 мар. 2023
Источник: nvd
CVSS3: 4.7
CVSS3: 6.1
EPSS Низкий

Описание

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than <textarea> as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism.

A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the sandbox attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the config.iframe_attributes option. Also starti

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*
Версия от 4.0 (включая) до 4.21.0 (исключая)
Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

EPSS

Процентиль: 54%
0.00317
Низкий

4.7 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79
CWE-79

Связанные уязвимости

ubuntu логотип

CVE-2023-28439

CVSS3: 4.7
ubuntu
почти 3 года назад

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also star...

debian логотип

CVE-2023-28439

CVSS3: 4.7
debian
почти 3 года назад

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...

fstec логотип

BDU:2023-05267

CVSS3: 6.1
fstec
почти 3 года назад

Уязвимость пакетов Iframe Dialog и Media Embed WYSIWYG-редактора CKEditor, позволяющая нарушителю выполнить произвольный JavaScript-код

EPSS

Процентиль: 54%
0.00317
Низкий

4.7 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79
CWE-79