CVE-2024-43407

Name of the Vulnerable Software and Affected Versions CKEditor4 versions prior to 4.25.0-lts

Description A potential vulnerability has been discovered in the CKEditor 4 Code Snippet GeSHi plugin, allowing a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library. The GeSHi library, included as a vendor dependency in CKEditor 4 source files, is no longer actively maintained, and its continued use poses potential security risks. An attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server.

Recommendations To mitigate the risks, upgrade to version 4.25.0-lts or later, which removes the GeSHi library as a dependency. For integrators who still want to use the GeSHi syntax highlighter, manually add the library, but be aware of the potential security vulnerabilities associated with its use. As a temporary workaround, consider disabling the GeSHi syntax highlighter until a patch is available. Restrict access to the vulnerable Code Snippet GeSHi plugin to minimize the risk of exploitation.