CVE-2022-31175

Name of the Vulnerable Software and Affected Versions CKEditor 5 versions prior to 35.0.1

Description A cross-site scripting issue has been discovered in CKEditor 5, affecting three optional packages: @ckeditor/ckeditor5-markdown-gfm, @ckeditor/ckeditor5-html-support, and @ckeditor/ckeditor5-html-embed. The vulnerability allows triggering JavaScript code after fulfilling specific conditions, including using one of the affected packages, destroying the editor instance, and initializing the editor on an element other than <textarea>. The root cause is a mechanism responsible for updating the source element with markup from the CKEditor 5 data pipeline after destroying the editor. This issue might affect a small percentage of integrators that depend on dynamic editor initialization/destroy and use Markdown, General HTML Support, or HTML embed features.

Recommendations For versions prior to 35.0.1, update to version 35.0.1 to resolve the issue. As a temporary workaround, consider avoiding the use of the affected packages @ckeditor/ckeditor5-markdown-gfm, @ckeditor/ckeditor5-html-support, and @ckeditor/ckeditor5-html-embed until the update is applied. Restrict access to configurations that allow unsafe markup inside the editor for ckeditor5-html-support and ckeditor5-html-embed packages to minimize the risk of exploitation. Avoid initializing the editor on elements other than <textarea> and refrain from destroying the editor instance unless necessary, until the update is applied.