CVE-2024-43411: CKEditor4 low-risk cross-site scripting (XSS) vulnerability linked to potential domain takeover

August 21, 2024 (updated November 18, 2024)

A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. Although the vulnerability is purely hypothetical, we have addressed it in CKEditor 4.25.0-lts to ensure compliance with security best practices.

References

github.com/advisories/GHSA-6v96-m24v-f58j
github.com/ckeditor/ckeditor4
github.com/ckeditor/ckeditor4/commit/b5069c9cb769ea22eae1cbd7200f22b1cf2e3a7f
github.com/ckeditor/ckeditor4/security/advisories/GHSA-6v96-m24v-f58j
nvd.nist.gov/vuln/detail/CVE-2024-43411

Code Behaviors & Features

Detect and mitigate CVE-2024-43411 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →