Fluid Attacks Database

Description

CKEditor cross-site scripting vulnerability in AJAX sample

Affected packages

The vulnerability has been discovered in the AJAX sample available at the samples/old/ajax.html file location. All integrators that use that sample in the production code can be affected.

Impact

A potential vulnerability has been discovered in one of CKEditor's 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. It affects all users using the CKEditor 4 at version < 4.24.0-lts where samples/old/ajax.html is used in a production environment.

Patches

The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 4 team would like to thank Rafael Pedrero and INCIBE (original report) for recognizing and reporting this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	ckeditor	=4.16.0+dfsg-2 \|\| =4.16.2+dfsg-1 \|\| =4.19.0+dfsg-1 \|\| =4.19.1+dfsg-1 \|\| =4.22.1+dfsg-1 \|\| =4.22.1+dfsg1-2	-
npm	ckeditor4	>=0 <4.24.0-lts	4.24.0-lts
debian 12	ckeditor	=4.19.1+dfsg-1 \|\| =4.22.1+dfsg-1 \|\| =4.22.1+dfsg1-2	-

Aliases

1. CVE-2023-47712. NVD-2023-47713. OSV-DEBIAN-2023-47714. OSV-2023-47715. GHSA-wh5w-82f3-wrxh6. GCVE-2023-47717. SECURITY-TRACKER-CVE-2023-4771

References

1. https://github.com/sahar042/CVE-2023-47712. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-wh5w-82f3-wrxh3. https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb4. https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-vulnerability-cksource-ckeditor