CVE-2022-48110

Name of the Vulnerable Software and Affected Versions CKSource CKEditor 5 version 35.4.0

Description The issue is related to a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. It is noted that the vendor's position is that this is not a vulnerability, as the responsibility of choosing the correct security settings for their use case lies with the integrator adding CKEditor 5 functionality to a website. Safe default values are established, such as config.htmlEmbed.showPreviews being set to false. The vulnerability may allow a remote attacker to conduct an XSS attack due to insufficient protection of the web page structure.

Recommendations For CKSource CKEditor 5 version 35.4.0, consider reviewing and adjusting the security settings according to the integrator's use case, ensuring safe default values are applied, such as setting config.htmlEmbed.showPreviews to false. As a temporary workaround, consider restricting the use of the Full Featured CKEditor5 widget until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.