Jacekbogdanski

**Name of the Vulnerable Software and Affected Versions** CKEditor4 versions 4.22 through 4.24 **Description** A theoretical issue has been identified in CKEditor4. In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor4 instances. The issue impacts only editor instances with enabled version notifications. This feature is disabled by default in all CKEditor4 LTS versions. **Recommendations** For CKEditor4 versions 4.22 through 4.24, update to version 4.25.0-lts to resolve the issue. As a temporary workaround, consider disabling the version notifications feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** CKEditor4 versions prior to 4.21.0 **Description** A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages in CKEditor4. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. **Recommendations** To resolve the issue, update to CKEditor4 version 4.21.0 or later. For versions prior to 4.21.0, properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on the web page. As a temporary workaround, consider configuring the `config.iframe attributes` option to apply the `sandbox` attribute, which restricts JavaScript code execution in the iframe element, and the `config.embed keepOriginalContent` option to regenerate the entire content of the embed widget by default.