Search for packages
| purl | pkg:deb/debian/ckeditor3@3.6.6.1%2Bdfsg-7?distro=bullseye |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-8hvk-a5es-v3e4 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source WYSIWYG HTML editor. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. |
CVE-2021-41164
GHSA-pvmx-g8h5-cprj |
| VCID-c8r2-wpf3-47f9 | CKEditor 4 ReDoS Vulnerability It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin). |
CVE-2021-26271
GHSA-jv4c-7jqq-m34x |
| VCID-h5zz-wz8f-2uf6 | Inclusion of Functionality from Untrusted Control Sphere in CKEditor 4 It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin). |
CVE-2021-26272
GHSA-wpvm-wqr4-p7cw |
| VCID-usbf-pmfq-1fb6 | Cross-site scripting (XSS) in the clipboard package ### Impact During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability affects **only** installations where the editor configuration meets the following criteria: 1. The [**Block Toolbar**](https://ckeditor.com/docs/ckeditor5/latest/getting-started/setup/toolbar.html#block-toolbar) plugin is enabled. 1. One of the following plugins is also enabled: - [**General HTML Support**](https://ckeditor.com/docs/ckeditor5/latest/features/html/general-html-support.html) with a configuration that permits unsafe markup. - [**HTML Embed**](https://ckeditor.com/docs/ckeditor5/latest/features/html/html-embed.html). ### Patches The problem has been recognized and patched. The fix will be available in version 43.1.1 (and above), and explicitly in version 41.3.2. ### Workarounds It's highly recommended to update to the version 43.1.1 or higher. However, if the update is not an option, we recommend disabling the block toolbar plugin. ### For more information Email us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory. |
CVE-2024-45613
GHSA-rgg8-g5x8-wr9v |
| VCID-vj35-jtgq-8qbv | Cross-site Scripting ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEdit The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at The problem has been recognized and patched. |
CVE-2021-37695
GHSA-m94c-37g6-cjhc |
| VCID-xhp7-kqdk-tfeu | Improper Input Validation CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds. |
CVE-2022-24729
GHSA-f6rf-9m92-x2hh |