Search for packages
| purl | pkg:deb/debian/ckeditor@4.22.1%2Bdfsg1-2 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-s7qd-nhfh-gbdn
Aliases: CVE-2024-43411 GHSA-6v96-m24v-f58j |
CKEditor4 low-risk cross-site scripting (XSS) vulnerability linked to potential domain takeover ### Affected Packages The issue impacts only editor instances with enabled [version notifications](https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_config.html#cfg-versionCheck). Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4 LTS, it is highly unlikely that you are affected by this vulnerability. If you are unsure, please [contact us](mailto:security@cksource.com). ### Impact A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. Although the vulnerability is purely hypothetical, we have addressed it in CKEditor 4.25.0-lts to ensure compliance with security best practices. ### Patches The issue has been recognized and patched. The fix is available in version 4.25.0-lts. ### For More Information If you have any questions or comments about this advisory, please email us at [security@cksource.com](mailto:security@cksource.com). | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-v8en-17hx-mqbv | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page. |
CVE-2023-28439
GHSA-vh5c-xwqv-cv9g |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-03T18:21:04.863685+00:00 | Debian Importer | Affected by | VCID-s7qd-nhfh-gbdn | https://security-tracker.debian.org/tracker/data/json | 37.0.0 |
| 2025-07-03T16:43:40.885630+00:00 | Debian Importer | Fixing | VCID-v8en-17hx-mqbv | https://security-tracker.debian.org/tracker/data/json | 37.0.0 |
| 2025-07-01T16:04:49.538910+00:00 | Debian Importer | Affected by | VCID-s7qd-nhfh-gbdn | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-07-01T15:39:42.987710+00:00 | Debian Importer | Fixing | VCID-v8en-17hx-mqbv | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |