Skip to main content

Ckeditor CVE-2023-4771

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-11-16 cve-coordination@incibe.es
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 16, 2023 - 14:15 nvd
MEDIUM 6.1

DescriptionNVD

A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information.

AnalysisAI

A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information. Affected products include: Cksource Ckeditor.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-31541 CRITICAL POC
9.8 Jun 13

A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3

CVE-2021-33829 MEDIUM POC
6.1 Jun 09

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1

CVE-2018-17960 MEDIUM POC
6.1 Nov 14

CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. Rated medium severity (CVSS 6.1), thi

CVE-2022-24729 HIGH
7.5 Mar 16

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated high severity (CVSS 7.5), this vulnerability

CVE-2012-2067 MEDIUM
6.8 Sep 05

Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 a

CVE-2021-26272 MEDIUM
6.5 Jan 26

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL

CVE-2021-26271 MEDIUM
6.5 Jan 26

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted tex

CVE-2024-43407 MEDIUM
6.1 Aug 21

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2024-24816 MEDIUM
6.1 Feb 07

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2024-24815 MEDIUM
6.1 Feb 07

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2023-28439 MEDIUM
6.1 Mar 22

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2020-27193 MEDIUM
6.1 Nov 12

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run

Share

CVE-2023-4771 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy