PT-2024-30569 · Cksource+2 · Ckeditor4+2
Jacekbogdanski
·
Published
2024-08-21
·
Updated
2025-02-06
·
CVE-2024-43411
CVSS v4.0
4.8
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
CKEditor4 versions 4.22 through 4.24
Description
A theoretical issue has been identified in CKEditor4. In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor4 instances. The issue impacts only editor instances with enabled version notifications. This feature is disabled by default in all CKEditor4 LTS versions.
Recommendations
For CKEditor4 versions 4.22 through 4.24, update to version 4.25.0-lts to resolve the issue.
As a temporary workaround, consider disabling the version notifications feature until a patch is available.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ckeditor4
Linuxmint
Ubuntu