CVE-2018-17960

Vulnerability

The vulnerability is a cross-site scripting (XSS) issue in the HTML parser of CKEditor versions 4.x before 4.11.0. The bug allows execution of arbitrary JavaScript when a victim pastes specially crafted HTML code into the editor while in source mode and then switches back to WYSIWYG mode [1][3]. This affects all CKEditor 4 installations using the default HTML parser. The fix was released in CKEditor 4.11.0 [1][3]. The vulnerability is also reported in TYPO3 CMS versions 8.5.0 to 8.7.20 and 9.0.0 to 9.5.1 which bundle CKEditor [4].

Exploitation

Exploitation requires user interaction: the victim must be persuaded to (i) switch CKEditor to source mode, (ii) paste a malicious HTML code prepared by the attacker into the source area, and (iii) switch back to WYSIWYG mode [1][3]. The attacker needs no special network position but may need to convince the victim to perform these steps, possibly through social engineering. In TYPO3, a valid backend user account is required to access the editor [4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the CKEditor instance. This can lead to information disclosure, session hijacking, or other client-side attacks. The CVSS v3.0 score is 5.4 (Medium) for the TYPO3 scenario, with vector AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N [4]. The attacker gains the ability to inject malicious scripts into the editor's output when the victim switches to WYSIWYG mode.

Mitigation

The fix is included in CKEditor version 4.11.0, released November 6, 2018 [1][3]. Users should upgrade to CKEditor 4.11.0 or later. For TYPO3, update to versions 8.7.21 or 9.5.2, which includes the patched CKEditor [4]. No workarounds are documented; upgrading is the recommended action. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.