Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yZ2c4LWc1eDgtd3I5ds4AA_xh
Cross-site scripting (XSS) in the clipboard package
Impact
During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration.
This vulnerability affects only installations where the editor configuration meets the following criteria:
- The Block Toolbar plugin is enabled.
- One of the following plugins is also enabled:
- General HTML Support with a configuration that permits unsafe markup.
- HTML Embed.
Patches
The problem has been recognized and patched. The fix will be available in version 43.1.1 (and above), and explicitly in version 41.3.2.
Workarounds
It's highly recommended to update to the version 43.1.1 or higher. However, if the update is not an option, we recommend disabling the block toolbar plugin.
For more information
Email us at [email protected] if you have any questions or comments about this advisory.
Permalink: https://github.com/advisories/GHSA-rgg8-g5x8-wr9vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yZ2c4LWc1eDgtd3I5ds4AA_xh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 2 months ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Percentage: 0.00046
EPSS Percentile: 0.18503
Identifiers: GHSA-rgg8-g5x8-wr9v, CVE-2024-45613
References:
- https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-rgg8-g5x8-wr9v
- https://nvd.nist.gov/vuln/detail/CVE-2024-45613
- https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1
- https://github.com/advisories/GHSA-rgg8-g5x8-wr9v
Blast Radius: 25.7
Affected Packages
npm:@ckeditor/ckeditor5-clipboard
Dependent packages: 212Dependent repositories: 3,767
Downloads: 3,000,836 last month
Affected Version Ranges: >= 40.0.0, < 43.1.1
Fixed in: 43.1.1
All affected versions: 40.0.0, 40.1.0, 40.2.0, 41.0.0, 41.1.0, 41.2.0, 41.2.1, 41.3.0, 41.3.1, 41.3.2, 41.4.0, 41.4.1, 41.4.2, 42.0.0, 42.0.1, 42.0.2, 43.0.0, 43.1.0
All unaffected versions: 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.7.0, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 11.0.0, 11.0.1, 11.0.2, 12.0.0, 12.0.1, 12.0.2, 15.0.0, 16.0.0, 17.0.0, 18.0.0, 19.0.0, 19.0.1, 20.0.0, 21.0.0, 22.0.0, 23.0.0, 23.1.0, 24.0.0, 25.0.0, 26.0.0, 27.0.0, 27.1.0, 28.0.0, 29.0.0, 29.1.0, 29.2.0, 30.0.0, 31.0.0, 31.1.0, 32.0.0, 33.0.0, 34.0.0, 34.1.0, 34.2.0, 35.0.0, 35.0.1, 35.1.0, 35.2.0, 35.2.1, 35.3.0, 35.3.1, 35.3.2, 35.4.0, 36.0.0, 36.0.1, 37.0.0, 37.0.1, 37.1.0, 38.0.0, 38.0.1, 38.1.0, 38.1.1, 39.0.0, 39.0.1, 39.0.2, 43.1.1, 43.2.0, 43.3.0, 43.3.1
npm:ckeditor5
Dependent packages: 238Dependent repositories: 3,563
Downloads: 3,103,769 last month
Affected Version Ranges: >= 40.0.0, < 43.1.1
Fixed in: 43.1.1
All affected versions: 40.0.0, 40.1.0, 40.2.0, 41.0.0, 41.1.0, 41.2.0, 41.2.1, 41.3.0, 41.3.1, 41.3.2, 41.4.0, 41.4.1, 41.4.2, 42.0.0, 42.0.1, 42.0.2, 43.0.0, 43.1.0
All unaffected versions: 10.0.0, 10.0.1, 10.1.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.1.0, 12.2.0, 12.3.0, 12.3.1, 12.4.0, 15.0.0, 16.0.0, 17.0.0, 18.0.0, 19.0.0, 19.1.0, 19.1.1, 20.0.0, 21.0.0, 22.0.0, 23.0.0, 23.1.0, 24.0.0, 25.0.0, 26.0.0, 27.0.0, 27.1.0, 28.0.0, 29.0.0, 29.1.0, 29.2.0, 30.0.0, 31.0.0, 31.1.0, 32.0.0, 33.0.0, 34.0.0, 34.1.0, 34.2.0, 35.0.0, 35.0.1, 35.1.0, 35.2.0, 35.2.1, 35.3.0, 35.3.1, 35.3.2, 35.4.0, 36.0.0, 36.0.1, 37.0.0, 37.0.1, 37.1.0, 38.0.0, 38.0.1, 38.1.0, 38.1.1, 39.0.0, 39.0.1, 39.0.2, 43.1.1, 43.2.0, 43.3.0, 43.3.1