CVE-2023-28439

Name of the Vulnerable Software and Affected Versions CKEditor4 versions prior to 4.21.0

Description A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages in CKEditor4. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than <textarea> as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism.

Recommendations To resolve the issue, update to CKEditor4 version 4.21.0 or later. For versions prior to 4.21.0, properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on the web page. As a temporary workaround, consider configuring the config.iframe attributes option to apply the sandbox attribute, which restricts JavaScript code execution in the iframe element, and the config.embed keepOriginalContent option to regenerate the entire content of the embed widget by default.