Search for packages
| purl | pkg:deb/debian/ckeditor@4.19.1%2Bdfsg-1?distro=sid |
| Next non-vulnerable version | 4.22.1+dfsg-1 |
| Latest non-vulnerable version | 4.22.1+dfsg-1 |
| Risk | 2.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-k7qp-c6vp-sqbg
Aliases: CVE-2023-28439 GHSA-vh5c-xwqv-cv9g |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-17pr-6guy-53ge | Cross-site Scripting ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at The problem has been recognized and patched. The fix will be available |
CVE-2021-32808
GHSA-6226-h7ff-ch6c |
| VCID-3htn-j487-3ydn | Cross-site scripting (XSS) in the CKEditor 5 real-time collaboration package ### Impact During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 real-time collaboration package. This vulnerability can lead to unauthorized JavaScript code execution and affects user markers, which represent users' positions within the document. This vulnerability affects only installations with [Real-time collaborative editing](https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html) enabled. ### Patches The problem has been recognized and patched. The fix will be available in version 44.2.1 (and above). ### For more information Email us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory. |
CVE-2025-25299
GHSA-j3mm-wmfm-mwvh |
| VCID-3tqv-ppue-57fr | CKEditor4 low-risk cross-site scripting (XSS) vulnerability linked to potential domain takeover ### Affected Packages The issue impacts only editor instances with enabled [version notifications](https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_config.html#cfg-versionCheck). Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4 LTS, it is highly unlikely that you are affected by this vulnerability. If you are unsure, please [contact us](mailto:security@cksource.com). ### Impact A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. Although the vulnerability is purely hypothetical, we have addressed it in CKEditor 4.25.0-lts to ensure compliance with security best practices. ### Patches The issue has been recognized and patched. The fix is available in version 4.25.0-lts. ### For More Information If you have any questions or comments about this advisory, please email us at [security@cksource.com](mailto:security@cksource.com). |
CVE-2024-43411
GHSA-6v96-m24v-f58j |
| VCID-4x92-vapt-n7dz | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source WYSIWYG HTML editor. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at The problem has been recognized and patched. |
CVE-2021-41165
GHSA-7h26-63m7-qhf2 |
| VCID-8hvk-a5es-v3e4 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source WYSIWYG HTML editor. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. |
CVE-2021-41164
GHSA-pvmx-g8h5-cprj |
| VCID-c8r2-wpf3-47f9 | CKEditor 4 ReDoS Vulnerability It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin). |
CVE-2021-26271
GHSA-jv4c-7jqq-m34x |
| VCID-h5zz-wz8f-2uf6 | Inclusion of Functionality from Untrusted Control Sphere in CKEditor 4 It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin). |
CVE-2021-26272
GHSA-wpvm-wqr4-p7cw |
| VCID-qb4j-9tz7-m7a2 | Cross-site Scripting CKEditor allows user-assisted XSS involving a source-mode paste. |
CVE-2018-17960
GHSA-g68x-vvqq-pvw3 |
| VCID-s8u8-xbdk-87dj | ckeditor4 vulnerable to cross-site scripting A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because `--!>` is mishandled. |
CVE-2021-33829
GHSA-rgx6-rjj4-c388 |
| VCID-sd2a-hmu2-wbax | Code Injection ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEdit The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. |
CVE-2021-32809
GHSA-7889-rm5j-hpgg |
| VCID-tkcr-ecev-k3af | The Preview plugin in CKEditor allows Cross-site scripting (XSS) Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
CVE-2014-5191
GHSA-v27h-j97p-wqmx |
| VCID-un66-k85j-b7d2 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds. |
CVE-2022-24728
GHSA-4fc4-4p5g-6w89 |
| VCID-usbf-pmfq-1fb6 | Cross-site scripting (XSS) in the clipboard package ### Impact During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability affects **only** installations where the editor configuration meets the following criteria: 1. The [**Block Toolbar**](https://ckeditor.com/docs/ckeditor5/latest/getting-started/setup/toolbar.html#block-toolbar) plugin is enabled. 1. One of the following plugins is also enabled: - [**General HTML Support**](https://ckeditor.com/docs/ckeditor5/latest/features/html/general-html-support.html) with a configuration that permits unsafe markup. - [**HTML Embed**](https://ckeditor.com/docs/ckeditor5/latest/features/html/html-embed.html). ### Patches The problem has been recognized and patched. The fix will be available in version 43.1.1 (and above), and explicitly in version 41.3.2. ### Workarounds It's highly recommended to update to the version 43.1.1 or higher. However, if the update is not an option, we recommend disabling the block toolbar plugin. ### For more information Email us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory. |
CVE-2024-45613
GHSA-rgg8-g5x8-wr9v |
| VCID-vj35-jtgq-8qbv | Cross-site Scripting ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEdit The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at The problem has been recognized and patched. |
CVE-2021-37695
GHSA-m94c-37g6-cjhc |
| VCID-xhp7-kqdk-tfeu | Improper Input Validation CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds. |
CVE-2022-24729
GHSA-f6rf-9m92-x2hh |