Cross-site scripting in ckeditor via abuse of undo functionality

Vulnerability

The clipboard Widget plugin in CKEditor 4, when used alongside the undo feature, is vulnerable to stored cross-site scripting (XSS). The bug allows a user to abuse undo functionality by inserting malformed widget HTML, which can lead to JavaScript code execution. This affects all users using CKEditor 4 version >= 4.13.0 who have the clipboard Widget plugin enabled. The issue was identified and patched in version 4.16.2 [1][2][3].

Exploitation

An attacker needs to be able to provide malformed widget HTML to a CKEditor instance that has the clipboard Widget plugin enabled and the undo feature active. The attacker can craft a widget with specially malformed HTML that, when the undo operation is performed, triggers the execution of attacker-controlled JavaScript. The exploitation requires user interaction (e.g., pasting the malformed widget content) and the use of the undo feature [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's CKEditor session. This can lead to data theft, session hijacking, or other client-side attacks depending on the application's trust in the editor [1].

Mitigation

The vulnerability is patched in CKEditor 4 version 4.16.2, released on August 18, 2021 [2][3]. Users should upgrade to at least this version. CKEditor 4 reached end of life on June 30, 2023, and the open-source version no longer receives security updates; commercial CKEditor 4 LTS provides extended support until December 2028 [1]. No workarounds have been published for unpatched versions beyond disabling the clipboard Widget plugin [1].