CVE-2018-17960

Name of the Vulnerable Software and Affected Versions CKEditor versions 4.x before 4.11.0

Description The issue is related to the lack of protection of the web page structure in the CKEditor WYSIWYG editor. Exploitation of this issue can allow a remote attacker to conduct XSS attacks. This can be achieved by persuading the victim to switch the editor to source mode, paste specially crafted HTML code into the source area, and then switch back to WYSIWYG mode. Although this scenario is unlikely, it poses a risk.

Recommendations For CKEditor versions 4.x before 4.11.0, upgrade to the latest editor version to resolve the issue. As a temporary workaround, consider restricting the use of the source mode feature in CKEditor to minimize the risk of exploitation. Avoid pasting untrusted HTML code into the CKEditor source area until the issue is resolved.