CVE-2018-11093: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 23, 2018 (updated September 13, 2021)

Cross-site scripting (XSS) vulnerability in the Link package for CKEditor 5 allows remote attackers to inject arbitrary web script through a crafted href attribute of a link (A) element.

References

ckeditor.com/blog/CKEditor-5-v10.0.1-released/
github.com/advisories/GHSA-gvpx-9459-w3mj
github.com/ckeditor/ckeditor5-link/blob/master/CHANGELOG.md
nvd.nist.gov/vuln/detail/CVE-2018-11093
snyk.io/vuln/SNYK-JS-CKEDITORCKEDITOR5LINK-72892
www.npmjs.com/advisories/1154

Code Behaviors & Features

Detect and mitigate CVE-2018-11093 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →