npm package
ckeditor4
pkg:npm/ckeditor4
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-43411 | Low | 3.1 | >= 4.22.0, < 4.25.0 | 4.25.0 | Aug 21, 2024 | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially exec | |
| CVE-2024-43407 | — | < 4.25.0 | 4.25.0 | Aug 21, 2024 | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the | ||
| CVE-2024-24816 | — | < 4.24.0-lts | 4.24.0-lts | Feb 7, 2024 | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code ca | ||
| CVE-2024-24815 | — | < 4.24.0-lts | 4.24.0-lts | Feb 7, 2024 | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or e | ||
| CVE-2023-4771 | — | < 4.24.0-lts | 4.24.0-lts | Nov 16, 2023 | A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information. | ||
| CVE-2022-24728 | — | < 4.18.0 | 4.18.0 | Mar 16, 2022 | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing | ||
| CVE-2021-41165 | — | < 4.17.0 | 4.17.0 | Nov 17, 2021 | CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, w | ||
| CVE-2021-41164 | — | < 4.17.0 | 4.17.0 | Nov 17, 2021 | CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, | ||
| CVE-2021-37695 | — | < 4.16.2 | 4.16.2 | Aug 12, 2021 | ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could | ||
| CVE-2021-32809 | — | >= 4.5.2, < 4.16.2 | 4.16.2 | Aug 12, 2021 | ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which | ||
| CVE-2021-32808 | — | >= 4.13.0, < 4.16.2 | 4.16.2 | Aug 12, 2021 | ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could re | ||
| CVE-2021-33829 | — | >= 4.14.0, < 4.16.1 | 4.16.1 | Jun 9, 2021 | A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. | ||
| CVE-2021-26272 | — | < 4.16.0 | 4.16.0 | Jan 26, 2021 | It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin). | ||
| CVE-2020-27193 | — | < 4.15.1 | 4.15.1 | Nov 12, 2020 | A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs. | ||
| CVE-2020-9281 | — | < 4.14.0 | 4.14.0 | Mar 7, 2020 | A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax). |
- affected >= 4.22.0, < 4.25.0fixed 4.25.0
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially exec
- CVE-2024-43407Aug 21, 2024affected < 4.25.0fixed 4.25.0
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the
- CVE-2024-24816Feb 7, 2024affected < 4.24.0-ltsfixed 4.24.0-lts
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code ca
- CVE-2024-24815Feb 7, 2024affected < 4.24.0-ltsfixed 4.24.0-lts
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or e
- CVE-2023-4771Nov 16, 2023affected < 4.24.0-ltsfixed 4.24.0-lts
A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information.
- CVE-2022-24728Mar 16, 2022affected < 4.18.0fixed 4.18.0
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing
- CVE-2021-41165Nov 17, 2021affected < 4.17.0fixed 4.17.0
CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, w
- CVE-2021-41164Nov 17, 2021affected < 4.17.0fixed 4.17.0
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization,
- CVE-2021-37695Aug 12, 2021affected < 4.16.2fixed 4.16.2
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could
- CVE-2021-32809Aug 12, 2021affected >= 4.5.2, < 4.16.2fixed 4.16.2
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which
- CVE-2021-32808Aug 12, 2021affected >= 4.13.0, < 4.16.2fixed 4.16.2
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could re
- CVE-2021-33829Jun 9, 2021affected >= 4.14.0, < 4.16.1fixed 4.16.1
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
- CVE-2021-26272Jan 26, 2021affected < 4.16.0fixed 4.16.0
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
- CVE-2020-27193Nov 12, 2020affected < 4.15.1fixed 4.15.1
A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.
- CVE-2020-9281Mar 7, 2020affected < 4.14.0fixed 4.14.0
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).