Search for packages
| purl | pkg:npm/ckeditor4@4.15.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-17pr-6guy-53ge
Aliases: CVE-2021-32808 GHSA-6226-h7ff-ch6c |
Cross-site Scripting ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at The problem has been recognized and patched. The fix will be available |
Affected by 9 other vulnerabilities. |
|
VCID-4x92-vapt-n7dz
Aliases: CVE-2021-41165 GHSA-7h26-63m7-qhf2 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source WYSIWYG HTML editor. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at The problem has been recognized and patched. |
Affected by 7 other vulnerabilities. |
|
VCID-8hvk-a5es-v3e4
Aliases: CVE-2021-41164 GHSA-pvmx-g8h5-cprj |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source WYSIWYG HTML editor. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. |
Affected by 7 other vulnerabilities. |
|
VCID-c8r2-wpf3-47f9
Aliases: CVE-2021-26271 GHSA-jv4c-7jqq-m34x |
CKEditor 4 ReDoS Vulnerability It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin). |
Affected by 13 other vulnerabilities. |
|
VCID-cjwn-p59n-8ygs
Aliases: CVE-2024-24815 GHSA-fq6h-4g8v-qqvm |
CKEditor4 Cross-site Scripting vulnerability caused by incorrect CDATA detection ### Affected packages The vulnerability has been discovered in the core HTML parsing module and may affect all editor instances that: * Enabled [full-page editing](https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html) mode, * or enabled [CDATA](https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata) elements in [Advanced Content Filtering](https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html) configuration (defaults to `script` and `style` elements). ### Impact A potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. It affects all users using the CKEditor 4 at version < 4.24.0-lts. ### Patches The problem has been recognized and patched. The fix will be available in version 4.24.0-lts. ### For more information Email us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory. ### Acknowledgements The CKEditor 4 team would like to thank [Michal Frýba](https://cz.linkedin.com/in/michal-fryba) from [ALEF NULA](https://www.alefnula.com/) for recognizing and reporting this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-h5zz-wz8f-2uf6
Aliases: CVE-2021-26272 GHSA-wpvm-wqr4-p7cw |
Inclusion of Functionality from Untrusted Control Sphere in CKEditor 4 It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin). |
Affected by 13 other vulnerabilities. |
|
VCID-h8tt-ky69-fuch
Aliases: CVE-2023-4771 GHSA-hxjc-9j8v-v9pr GHSA-wh5w-82f3-wrxh GMS-2024-140 |
CKEditor cross-site scripting vulnerability in AJAX sample ### Affected packages The vulnerability has been discovered in the AJAX sample available at the `samples/old/ajax.html` file location. All integrators that use that sample in the production code can be affected. ### Impact A potential vulnerability has been discovered in one of CKEditor's 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. It affects all users using the CKEditor 4 at version < 4.24.0-lts where `samples/old/ajax.html` is used in a production environment. ### Patches The problem has been recognized and patched. The fix will be available in version 4.24.0-lts. ### For more information Email us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory. ### Acknowledgements The CKEditor 4 team would like to thank Rafael Pedrero and INCIBE ([original report](https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-vulnerability-cksource-ckeditor)) for recognizing and reporting this vulnerability. |
Affected by 13 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-k7qp-c6vp-sqbg
Aliases: CVE-2023-28439 GHSA-vh5c-xwqv-cv9g |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page. |
Affected by 4 other vulnerabilities. |
|
VCID-pg9q-44g1-vyhk
Aliases: CVE-2020-27193 GHSA-4m44-5j2g-xf64 |
Improper Neutralization of Input During Web Page Generation in CKEditor4 A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs. |
Affected by 15 other vulnerabilities. |
|
VCID-s8u8-xbdk-87dj
Aliases: CVE-2021-33829 GHSA-rgx6-rjj4-c388 |
ckeditor4 vulnerable to cross-site scripting A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because `--!>` is mishandled. |
Affected by 12 other vulnerabilities. |
|
VCID-sd2a-hmu2-wbax
Aliases: CVE-2021-32809 GHSA-7889-rm5j-hpgg |
Code Injection ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEdit The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. |
Affected by 9 other vulnerabilities. |
|
VCID-un66-k85j-b7d2
Aliases: CVE-2022-24728 GHSA-4fc4-4p5g-6w89 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds. |
Affected by 5 other vulnerabilities. |
|
VCID-uw7w-utew-ufb2
Aliases: CVE-2024-43407 GHSA-7r32-vfj5-c2jv |
Code Snippet GeSHi plugin in CKEditor 4 has reflected cross-site scripting (XSS) vulnerability ### Affected packages The vulnerability has been discovered in [Code Snippet GeSHi](https://ckeditor.com/cke4/addon/codesnippetgeshi) plugin. All integrators that use [GeSHi syntax highlighter](https://github.com/GeSHi/geshi-1.0) on the backend side can be affected. ### Impact A potential vulnerability has been discovered in CKEditor 4 [Code Snippet GeSHi](https://ckeditor.com/cke4/addon/codesnippetgeshi) plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the [GeSHi syntax highlighter library](https://github.com/GeSHi/geshi-1.0) hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. ### Patches The [GeSHi library](https://github.com/GeSHi/geshi-1.0) is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. To integrators who still want to use the GeSHi syntax highlighter, we recommend manually adding the [GeSHi library](https://github.com/GeSHi/geshi-1.0) . Please be aware of and understand the potential security vulnerabilities associated with its use. The fix is be available in version 4.25.0-lts. ### Acknowledgements The CKEditor 4 team would like to thank [Jiasheng He](https://github.com/Hebing123) from Qihoo 360 for recognizing and reporting this vulnerability. ### For more information Email us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory. |
Affected by 0 other vulnerabilities. |
|
VCID-vc97-xds1-67gu
Aliases: CVE-2024-24816 GHSA-mw2c-vx6j-mg76 |
CKEditor4 Cross-site Scripting vulnerability in samples with enabled the preview feature ### Affected packages The vulnerability has been discovered in the samples that use the [preview](https://ckeditor.com/cke4/addon/preview) feature: * `samples/old/**/*.html` * `plugins/[plugin name]/samples/**/*.html` All integrators that use these samples in the production code can be affected. ### Impact A potential vulnerability has been discovered in one of CKEditor's 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the misconfigured [preview feature](https://ckeditor.com/cke4/addon/preview). It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. ### Patches The problem has been recognized and patched. The fix will be available in version 4.24.0-lts. ### For more information Email us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory. ### Acknowledgements The CKEditor 4 team would like to thank [Marcin Wyczechowski](https://www.linkedin.com/in/marcin-wyczechowski-0a823795/) & [Michał Majchrowicz](https://www.linkedin.com/in/micha%C5%82-majchrowicz-mwsc/) [AFINE Team](https://afine.com/) for recognizing and reporting this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-vj35-jtgq-8qbv
Aliases: CVE-2021-37695 GHSA-m94c-37g6-cjhc |
Cross-site Scripting ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEdit The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at The problem has been recognized and patched. |
Affected by 9 other vulnerabilities. |
|
VCID-xhp7-kqdk-tfeu
Aliases: CVE-2022-24729 GHSA-f6rf-9m92-x2hh |
Improper Input Validation CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds. |
Affected by 5 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||