CVE-2018-17960 – typo3/cms-core

Package

Manager: composer
Name: typo3/cms-core
Vulnerable Version: >=8.0.0 <8.7.21 || >=9.0.0 <9.5.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01502 pctl0.80399

Details

Ckeditor XSS Vulnerability CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. It was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, it is recommended to upgrade to the latest editor version.

Metadata

Created: 2018-11-21T22:19:50Z
Modified: 2023-09-08T21:34:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-g68x-vvqq-pvw3/GHSA-g68x-vvqq-pvw3.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-g68x-vvqq-pvw3
Finding: F008
Auto approve: 1