CPE-C8D94653-3E90-4866-9FF8-69F6F5E6D8C3 Détail

CPE Details

CKEditor 4.0 LTS Edition

Vendor

ckeditor

Product

ckeditor

Version

4.0

Created

2024-04-12
10h08 +00:00

Modifié

2024-04-12
10h08 +00:00

Liens officiels

CPE NVD

Alerte pour un CPE

Restez informé de toutes modifications pour un CPE spécifique.

Gestion des notifications

Liste des Notifications

Alerte pour un CPE

Restez informé de toutes modifications pour un CPE spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

CPE ID

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

CPE Name: cpe:2.3:a:ckeditor:ckeditor:4.0::::lts:::

Informations

Vendor

ckeditor

Product

ckeditor

Version

4.0

Software Edition

lts

Related CVE

Open and find in CVE List

CVE ID	Publié	Description	Score	Gravité
CVE-2024-43407	2024-08-21 13h15 +00:00	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts.	6.1	Moyen
CVE-2024-24816	2024-02-07 16h58 +00:00	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.	6.1	Moyen
CVE-2024-24815	2024-02-07 15h14 +00:00	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.	6.1	Moyen
CVE-2023-28439	2023-03-22 20h55 +00:00	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.</td> <td><div class="badge badge-light-warning" style="font-size:1em">6.1</div></td> <td><div class="badge badge-light-warning" style="font-size:1em;text-transform: uppercase;">Moyen</div></td> </tr> <tr> <td><nobr><a href='/fr/cve/CVE-2022-24728.html'>CVE-2022-24728</a></nobr></td> <td><nobr>2022-03-15<span class='fs-7'> 23h00</span><span class='fs-9'> +00:00</span></nobr></td> <td>CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.</td> <td><div class="badge badge-light-warning" style="font-size:1em">5.4</div></td> <td><div class="badge badge-light-warning" style="font-size:1em;text-transform: uppercase;">Moyen</div></td> </tr> <tr> <td><nobr><a href='/fr/cve/CVE-2022-24729.html'>CVE-2022-24729</a></nobr></td> <td><nobr>2022-03-15<span class='fs-7'> 23h00</span><span class='fs-9'> +00:00</span></nobr></td> <td>CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.</td> <td><div class="badge badge-light-danger" style="font-size:1em">7.5</div></td> <td><div class="badge badge-light-danger" style="font-size:1em;text-transform: uppercase;">Haute</div></td> </tr> <tr> <td><nobr><a href='/fr/cve/CVE-2021-41165.html'>CVE-2021-41165</a></nobr></td> <td><nobr>2021-11-17<span class='fs-7'> 18h15</span><span class='fs-9'> +00:00</span></nobr></td> <td>CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.</td> <td><div class="badge badge-light-danger" style="font-size:1em">8.2</div></td> <td><div class="badge badge-light-danger" style="font-size:1em;text-transform: uppercase;">Haute</div></td> </tr> <tr> <td><nobr><a href='/fr/cve/CVE-2021-41164.html'>CVE-2021-41164</a></nobr></td> <td><nobr>2021-11-16<span class='fs-7'> 23h00</span><span class='fs-9'> +00:00</span></nobr></td> <td>CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.</td> <td><div class="badge badge-light-danger" style="font-size:1em">8.2</div></td> <td><div class="badge badge-light-danger" style="font-size:1em;text-transform: uppercase;">Haute</div></td> </tr> <tr> <td><nobr><a href='/fr/cve/CVE-2021-37695.html'>CVE-2021-37695</a></nobr></td> <td><nobr>2021-08-12<span class='fs-7'> 21h10</span><span class='fs-9'> +00:00</span></nobr></td> <td>ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.</td> <td><div class="badge badge-light-danger" style="font-size:1em">7.3</div></td> <td><div class="badge badge-light-danger" style="font-size:1em;text-transform: uppercase;">Haute</div></td> </tr> <tr> <td><nobr><a href='/fr/cve/CVE-2021-26272.html'>CVE-2021-26272</a></nobr></td> <td><nobr>2021-01-26<span class='fs-7'> 19h39</span><span class='fs-9'> +00:00</span></nobr></td> <td>It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).</td> <td><div class="badge badge-light-warning" style="font-size:1em">6.5</div></td> <td><div class="badge badge-light-warning" style="font-size:1em;text-transform: uppercase;">Moyen</div></td> </tr> <tr> <td><nobr><a href='/fr/cve/CVE-2021-26271.html'>CVE-2021-26271</a></nobr></td> <td><nobr>2021-01-26<span class='fs-7'> 19h39</span><span class='fs-9'> +00:00</span></nobr></td> <td>It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).</td> <td><div class="badge badge-light-warning" style="font-size:1em">6.5</div></td> <td><div class="badge badge-light-warning" style="font-size:1em;text-transform: uppercase;">Moyen</div></td> </tr> <tr> <td><nobr><a href='/fr/cve/CVE-2020-9440.html'>CVE-2020-9440</a></nobr></td> <td><nobr>2020-03-10<span class='fs-7'> 15h57</span><span class='fs-9'> +00:00</span></nobr></td> <td>A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.</td> <td><div class="badge badge-light-warning" style="font-size:1em">6.1</div></td> <td><div class="badge badge-light-warning" style="font-size:1em;text-transform: uppercase;">Moyen</div></td> </tr> <tr> <td><nobr><a href='/fr/cve/CVE-2020-9281.html'>CVE-2020-9281</a></nobr></td> <td><nobr>2020-03-06<span class='fs-7'> 23h02</span><span class='fs-9'> +00:00</span></nobr></td> <td>A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).</td> <td><div class="badge badge-light-warning" style="font-size:1em">6.1</div></td> <td><div class="badge badge-light-warning" style="font-size:1em;text-transform: uppercase;">Moyen</div></td> </tr> <tr> <td><nobr><a href='/fr/cve/CVE-2018-17960.html'>CVE-2018-17960</a></nobr></td> <td><nobr>2018-11-14<span class='fs-7'> 19h00</span><span class='fs-9'> +00:00</span></nobr></td> <td>CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.</td> <td><div class="badge badge-light-warning" style="font-size:1em">6.1</div></td> <td><div class="badge badge-light-warning" style="font-size:1em;text-transform: uppercase;">Moyen</div></td> </tr> <tr> <td><nobr><a href='/fr/cve/CVE-2014-5191.html'>CVE-2014-5191</a></nobr></td> <td><nobr>2014-08-07<span class='fs-7'> 08h00</span><span class='fs-9'> +00:00</span></nobr></td> <td>Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.</td> <td><div class="badge badge-light-warning" style="font-size:1em">4.3</div></td> <td></td> </tr> </tbody> </table> </div> <div class="separator my-10"></div> </div> </div> </div> </div> </div> </div> <!--end::Container--> <!--begin::Footer--> <div class="footer py-4 d-flex flex-lg-column" id="kt_footer"> <div class="container-xxl d-flex flex-column flex-md-row align-items-center justify-content-between"> <div class="text-gray-900 order-2 order-md-1"> <span class="text-muted fw-semibold me-1">2025©</span> <a href="https://www.tesweb.com" target="_blank" class="text-gray-800 text-hover-primary">tesweb SA</a> </div> <ul class="menu menu-gray-600 menu-hover-primary fw-semibold order-1"> <li class="menu-item"> <a href="/fr/official.html" class="menu-link px-2">Database Partners</a> </li> <li class="menu-item"> <a href="/fr/gdpr.html" class="menu-link px-2">GDPR</a> </li> <li class="menu-item"> <a href="/fr/contact.html" class="menu-link px-2">Contact</a> </li> <li class="menu-item"> <a href="/fr/plan-price.html" class="menu-link px-2">Purchase</a> </li> <li class="menu-item"> <a href="https://www.linkedin.com/company/cve-find/" class="menu-link px-2" target="_blank"><img src="/media/social/linkedin.svg" width="40" height="40"/></a> </li> <li class="menu-item"> <a href="https://www.facebook.com/people/CVE-Find-Alert/61561116452093/" class="menu-link px-2" target="_blank"><img src="/media/social/facebook.svg" width="40" height="40"/></a> </li> <li class="menu-item"> <a href="https://x.com/cvefindcom" class="menu-link px-2" target="_blank"><img src="/media/social/twitter.svg" width="40" height="40"/></a> </li> </ul> </div> </div> </div> </div> </div> <!--begin::Javascript--> <script>var hostUrl = "assets/";</script> <!--begin::Global Javascript Bundle(mandatory for all pages)--> <script src="/plugins/global/plugins.bundle.js"></script> <script src="/js/scripts.bundle.js"></script> <!--end::Global Javascript Bundle--> <script src="/js/app/custom.min.js"></script> <script src="/js/app/base.js.php"></script> <!--begin::Vendors Javascript(used for this page only)--> <script src='https://www.cvefind.com/plugins/custom/datatables/datatables.bundle.js'></script> <script src="/js/app/account/manageAlertNeedAccount.min.js"></script> <!--end::Custom Javascript--> <!-- Specific Page JS --> <!--end::Javascript--> </body> </html> <script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="6c23e8de00c0fac7494789d7-\|49" defer></script>

CKEditor 4.0 LTS Edition

CPE Details

CPE Name: cpe:2.3:a:ckeditor:ckeditor:4.0:*:*:*:lts:*:*:*

Informations

Vendor

Product

Version

Software Edition

Related CVE

CPE Name: cpe:2.3:a:ckeditor:ckeditor:4.0::::lts:::