PT-2023-30581 · Cksource+1 · Ckeditor+1
Rafael Pedrero
·
Published
2023-11-16
·
Updated
2024-02-07
·
CVE-2023-4771
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
CKEditor versions 4.15.1 and earlier
CKEditor versions prior to 4.24.0-lts
Description
A Cross-Site scripting issue has been found in CKSource CKEditor. An attacker could send malicious javascript code through the "samples/old/ajax.html" file and retrieve an authorized user's information. The vulnerability affects all users using the CKEditor 4 where the
samples/old/ajax.html file is used in a production environment.Recommendations
For versions 4.15.1 and earlier, update to version 4.24.0-lts or later to resolve the issue.
As a temporary workaround, consider restricting access to the
samples/old/ajax.html file until a patch is available.
Avoid using the samples/old/ajax.html file in production environments until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ckeditor
Debian