Affected packages
The vulnerability has been discovered in the AJAX sample available at the samples/old/ajax.html file location. All integrators that use that sample in the production code can be affected.
Impact
A potential vulnerability has been discovered in one of CKEditor's 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. It affects all users using the CKEditor 4 at version < 4.24.0-lts where samples/old/ajax.html is used in a production environment.
Patches
The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.
For more information
Email us at security@cksource.com if you have any questions or comments about this advisory.
Acknowledgements
The CKEditor 4 team would like to thank Rafael Pedrero and INCIBE (original report) for recognizing and reporting this vulnerability.
References
Affected packages
The vulnerability has been discovered in the AJAX sample available at the
samples/old/ajax.htmlfile location. All integrators that use that sample in the production code can be affected.Impact
A potential vulnerability has been discovered in one of CKEditor's 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. It affects all users using the CKEditor 4 at version < 4.24.0-lts where
samples/old/ajax.htmlis used in a production environment.Patches
The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.
For more information
Email us at security@cksource.com if you have any questions or comments about this advisory.
Acknowledgements
The CKEditor 4 team would like to thank Rafael Pedrero and INCIBE (original report) for recognizing and reporting this vulnerability.
References