Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1yZ2c4LWc1eDgtd3I5ds4AA_xh

Moderate CVSS: 5.1 EPSS: 0.00049% (0.15163 Percentile) EPSS:
Permalink JSON

Cross-site scripting (XSS) in the clipboard package

Affected Packages Affected Versions Fixed Versions
npm:@ckeditor/ckeditor5-clipboard
PURL: pkg:npm/%40ckeditor%2Fckeditor5-clipboard
>= 40.0.0, < 43.1.1 43.1.1
212 Dependent packages
3,767 Dependent repositories
3,000,836 Downloads last month

Affected Version Ranges

All affected versions

40.0.0, 40.1.0, 40.2.0, 41.0.0, 41.1.0, 41.2.0, 41.2.1, 41.3.0, 41.3.1, 41.3.2, 41.4.0, 41.4.1, 41.4.2, 42.0.0, 42.0.1, 42.0.2, 43.0.0, 43.1.0

All unaffected versions

0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.7.0, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 11.0.0, 11.0.1, 11.0.2, 12.0.0, 12.0.1, 12.0.2, 15.0.0, 16.0.0, 17.0.0, 18.0.0, 19.0.0, 19.0.1, 20.0.0, 21.0.0, 22.0.0, 23.0.0, 23.1.0, 24.0.0, 25.0.0, 26.0.0, 27.0.0, 27.1.0, 28.0.0, 29.0.0, 29.1.0, 29.2.0, 30.0.0, 31.0.0, 31.1.0, 32.0.0, 33.0.0, 34.0.0, 34.1.0, 34.2.0, 35.0.0, 35.0.1, 35.1.0, 35.2.0, 35.2.1, 35.3.0, 35.3.1, 35.3.2, 35.4.0, 36.0.0, 36.0.1, 37.0.0, 37.0.1, 37.1.0, 38.0.0, 38.0.1, 38.1.0, 38.1.1, 39.0.0, 39.0.1, 39.0.2, 43.1.1, 43.2.0, 43.3.0, 43.3.1
npm:ckeditor5
PURL: pkg:npm/ckeditor5
>= 40.0.0, < 43.1.1 43.1.1
238 Dependent packages
3,563 Dependent repositories
3,103,769 Downloads last month

Affected Version Ranges

All affected versions

40.0.0, 40.1.0, 40.2.0, 41.0.0, 41.1.0, 41.2.0, 41.2.1, 41.3.0, 41.3.1, 41.3.2, 41.4.0, 41.4.1, 41.4.2, 42.0.0, 42.0.1, 42.0.2, 43.0.0, 43.1.0

All unaffected versions

10.0.0, 10.0.1, 10.1.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.2.0, 12.0.0, 12.1.0, 12.2.0, 12.3.0, 12.3.1, 12.4.0, 15.0.0, 16.0.0, 17.0.0, 18.0.0, 19.0.0, 19.1.0, 19.1.1, 20.0.0, 21.0.0, 22.0.0, 23.0.0, 23.1.0, 24.0.0, 25.0.0, 26.0.0, 27.0.0, 27.1.0, 28.0.0, 29.0.0, 29.1.0, 29.2.0, 30.0.0, 31.0.0, 31.1.0, 32.0.0, 33.0.0, 34.0.0, 34.1.0, 34.2.0, 35.0.0, 35.0.1, 35.1.0, 35.2.0, 35.2.1, 35.3.0, 35.3.1, 35.3.2, 35.4.0, 36.0.0, 36.0.1, 37.0.0, 37.0.1, 37.1.0, 38.0.0, 38.0.1, 38.1.0, 38.1.1, 39.0.0, 39.0.1, 39.0.2, 43.1.1, 43.2.0, 43.3.0, 43.3.1

Impact

During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration.

This vulnerability affects only installations where the editor configuration meets the following criteria:

  1. The Block Toolbar plugin is enabled.
  2. One of the following plugins is also enabled:

Patches

The problem has been recognized and patched. The fix will be available in version 43.1.1 (and above), and explicitly in version 41.3.2.

Workarounds

It's highly recommended to update to the version 43.1.1 or higher. However, if the update is not an option, we recommend disabling the block toolbar plugin.

For more information

Email us at security@cksource.com if you have any questions or comments about this advisory.

References:

Identifiers

GHSA-rgg8-g5x8-wr9v

CVE-2024-45613

Risk

Severity

Moderate

CVSS

CVSS Score: 5.1

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS

EPSS Percentage: 0.00049

EPSS Percentile: 0.15163

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/ckeditor/ckeditor5

Date and time

Published

12 months ago

Updated

11 months ago

API

JSON