ckeditor4-4.21.0.tgz: 3 vulnerabilities (highest severity is: 6.1) #603
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Library home page: https://registry.npmjs.org/ckeditor4/-/ckeditor4-4.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - ckeditor4-4.21.0.tgz
Library home page: https://registry.npmjs.org/ckeditor4/-/ckeditor4-4.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd
Found in base branch: develop
Vulnerability Details
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts.
Publish Date: 2024-08-21
URL: CVE-2024-43407
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7r32-vfj5-c2jv
Release Date: 2024-08-21
Fix Resolution: ckeditor4 - 4.25.0-lts
Step up your Open Source Security Game with Mend here
Vulnerable Library - ckeditor4-4.21.0.tgz
Library home page: https://registry.npmjs.org/ckeditor4/-/ckeditor4-4.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd
Found in base branch: develop
Vulnerability Details
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the
previewfeature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.Publish Date: 2024-02-07
URL: CVE-2024-24816
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-24816
Release Date: 2024-02-07
Fix Resolution: ckeditor4 - 4.24.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - ckeditor4-4.21.0.tgz
Library home page: https://registry.npmjs.org/ckeditor4/-/ckeditor4-4.21.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd
Found in base branch: develop
Vulnerability Details
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to
scriptandstyleelements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.Publish Date: 2024-02-07
URL: CVE-2024-24815
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-24815
Release Date: 2024-02-07
Fix Resolution: ckeditor4 - 4.24.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: