logo

Database

Reflected cross-site scripting (XSS) In ckeditor-wordcount-plugin

Description

ckeditor-wordcount-plugin vulnerable to Cross-site Scripting in Source Mode of Editor

Problem

It has been discovered that the ckeditor-wordcount-plugin plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode.

Solution

Update to version 1.17.12 of the ckeditor-wordcount-plugin plugin.

Credits

    @sypets for reporting this finding to the TYPO3 Security Team

    @ohader for fixing the issue on behalf of the TYPO3 Security Team

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-379052. NVD-2023-379053. OSV-2023-379054. GHSA-m8fw-p3cr-6jqc5. GHSA-q9w4-w667-qqj46. GCVE-2023-37905

References

1. https://github.com/TYPO3/typo3/security/advisories/GHSA-m8fw-p3cr-6jqc2. https://github.com/w8tcha/CKEditor-WordCount-Plugin/security/advisories/GHSA-q9w4-w667-qqj43. https://github.com/w8tcha/CKEditor-WordCount-Plugin/commit/0f03b3e5b7c1409998a13aba3a95396e6fa349d84. https://github.com/w8tcha/CKEditor-WordCount-Plugin/commit/a4b154bdf35b3465320136fcb078f196b437c2f15. https://typo3.org/security/advisory/typo3-core-sa-2023-004

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.