Name of the Vulnerable Software and Affected Versions:

ckeditor5 versions 44.2.0 through 45.2.1

ckeditor5 versions 46.0.0 through 46.0.2

ckeditor5-clipboard versions 44.2.0 through 45.2.1

ckeditor5-clipboard versions 46.0.0 through 46.0.2

Description:

CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. The software contains a Cross-Site Scripting (XSS) vulnerability. Exploitation could lead to unauthorized JavaScript code execution if an attacker inserts malicious content into the editor, potentially occurring with a specific editor configuration. This issue affects installations where the HTML embed plugin is enabled, or a custom plugin introduces an editable element where view RawElement is enabled.

Recommendations:

Update to ckeditor5 version 45.2.2 or later.

Update to ckeditor5-clipboard version 45.2.2 or later.

Update to ckeditor5 version 46.0.3 or later.

Update to ckeditor5-clipboard version 46.0.3 or later.