#VU31182 Cross-site scripting in CKEditor


Published: 2018-11-14 | Updated: 2020-07-17

Vulnerability identifier: #VU31182

Vulnerability risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-17960

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CKEditor
Web applications / JS libraries

Vendor: CKSource

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.

Mitigation
Install update from vendor's website.

Vulnerable software versions

CKEditor: 4.0.0 - 4.10.1

External links
http://www.securityfocus.com/bid/109205
http://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/
http://ckeditor.com/cke4/release/CKEditor-4.11.0
http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Engineering Requirements Management DOORS/DWA
Cross-site scripting in otrs (Alpine package)
Cross-site scripting in CKSource CKEditor
Multiple vulnerabilities in IBM Engineering Workflow Management (EWM)