Status Board · Status Board · CVE-2018-11093
**Name of the Vulnerable Software and Affected Versions**
CKEditor 5 versions prior to 10.0.1
status-board versions prior to 10.0.1
**Description**
A cross-site scripting issue allows remote attackers to inject arbitrary web script through a crafted `href` attribute of a link element. The ` createPreviewButton()` function fails to sanitize the `href` attribute of a created `<a>` tag, which may allow attackers to execute arbitrary JavaScript in a victim's browser.
**Recommendations**
For CKEditor 5 versions prior to 10.0.1, upgrade to version 10.0.1 or later.
For status-board versions prior to 10.0.1, upgrade to version 10.0.1 or later.