VulnerableCode Package Details - pkg:deb/debian/ckeditor@4.19.1%2Bdfsg-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-v8en-17hx-mqbv Aliases: CVE-2023-28439 GHSA-vh5c-xwqv-cv9g	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.	4.22.1+dfsg1-2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-v8en-17hx-mqbv
Aliases:
CVE-2023-28439
GHSA-vh5c-xwqv-cv9g

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.

4.22.1+dfsg1-2
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-39xu-3gsh-hbe9	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.	CVE-2022-24728 GHSA-4fc4-4p5g-6w89
VCID-cff2-8n98-fbdz	ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.	CVE-2021-32808 GHSA-6226-h7ff-ch6c
VCID-d8yr-5fqs-y3b1	cross-site scripting	CVE-2021-41165 GHSA-7h26-63m7-qhf2
VCID-my43-4zns-1qh9	ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.	CVE-2021-32809 GHSA-7889-rm5j-hpgg
VCID-rvsb-66vn-cubn	ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.	CVE-2021-37695 GHSA-m94c-37g6-cjhc
VCID-w19v-a7xa-p7ar	cross-site scripting	CVE-2021-41164 GHSA-pvmx-g8h5-cprj
VCID-xgxf-ad4q-5kaq	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.	CVE-2022-24729 GHSA-f6rf-9m92-x2hh

Vulnerability

Summary

Aliases

VCID-39xu-3gsh-hbe9

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

CVE-2022-24728
GHSA-4fc4-4p5g-6w89

VCID-cff2-8n98-fbdz

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.

CVE-2021-32808
GHSA-6226-h7ff-ch6c

VCID-d8yr-5fqs-y3b1

cross-site scripting

CVE-2021-41165
GHSA-7h26-63m7-qhf2

VCID-my43-4zns-1qh9

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

CVE-2021-32809
GHSA-7889-rm5j-hpgg

VCID-rvsb-66vn-cubn

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

CVE-2021-37695
GHSA-m94c-37g6-cjhc

VCID-w19v-a7xa-p7ar

cross-site scripting

CVE-2021-41164
GHSA-pvmx-g8h5-cprj

VCID-xgxf-ad4q-5kaq

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

CVE-2022-24729
GHSA-f6rf-9m92-x2hh

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T19:36:39.240692+00:00	Debian Importer	Fixing	VCID-d8yr-5fqs-y3b1	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-07-03T18:42:11.523797+00:00	Debian Importer	Fixing	VCID-w19v-a7xa-p7ar	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-07-03T18:33:51.388969+00:00	Debian Importer	Fixing	VCID-rvsb-66vn-cubn	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-07-03T16:51:11.989266+00:00	Debian Importer	Fixing	VCID-xgxf-ad4q-5kaq	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-07-03T16:43:40.883474+00:00	Debian Importer	Affected by	VCID-v8en-17hx-mqbv	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-07-03T16:23:07.165905+00:00	Debian Importer	Fixing	VCID-cff2-8n98-fbdz	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-07-03T16:00:23.451007+00:00	Debian Importer	Fixing	VCID-my43-4zns-1qh9	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-07-03T15:50:01.355520+00:00	Debian Importer	Fixing	VCID-39xu-3gsh-hbe9	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-07-01T16:19:31.707092+00:00	Debian Importer	Fixing	VCID-d8yr-5fqs-y3b1	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T16:10:25.887765+00:00	Debian Importer	Fixing	VCID-w19v-a7xa-p7ar	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T16:06:57.086836+00:00	Debian Importer	Fixing	VCID-rvsb-66vn-cubn	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:45:23.700372+00:00	Debian Importer	Fixing	VCID-xgxf-ad4q-5kaq	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:39:42.985245+00:00	Debian Importer	Affected by	VCID-v8en-17hx-mqbv	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:31:19.931841+00:00	Debian Importer	Fixing	VCID-cff2-8n98-fbdz	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:22:53.030837+00:00	Debian Importer	Fixing	VCID-my43-4zns-1qh9	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:08:22.708789+00:00	Debian Importer	Fixing	VCID-39xu-3gsh-hbe9	https://security-tracker.debian.org/tracker/data/json	36.1.3