CVE-2024-45613 MEDIUM

CVE-2024-45613: CKEditor 5 has Cross-site Scripting vulnerability in the clipboard package

Vendor Ckeditor
Product ckeditor5
Weakness CWE-79 · XSS
Published September 25, 2024
Last update October 1, 2024
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

CKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 and prior to version 43.1.1, a Cross-Site Scripting (XSS) vulnerability is present in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability only affects installations where the Block Toolbar plugin is enabled and either the General HTML Support (with a configuration that permits unsafe markup) or the HTML Embed plugin is also enabled. A fix for the problem is available in version 43.1.1. As a workaround, one may disable the block toolbar plugin.

Key dates

02Disclosure timeline

September 25, 2024 CVE published
October 1, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-52599 Tuleap vulnerable to XSS in the Gantt chart of the tracker plugin CVE-2025-31760 WordPress SnapWidget Social Photo Feed Widget plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability CVE-2025-6539 Voltax Video Player <= 1.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter CVE-2023-35884 WordPress EventPrime Plugin <= 3.0.5 is vulnerable to Cross Site Scripting (XSS) CVE-2024-26082 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)