CVE-2023-28439 Vulnerability Details

  /     /     /  

CVE-2023-28439 Metadata Quick Info

CVE Published: 22/03/2023 | CVE Updated: 15/10/2024 | CVE Year: 2023
Source: GitHub_M | Vendor: ckeditor | Product: ckeditor4
Status : PUBLISHED

---

CVE-2023-28439 Description

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page. <br /><br /> <h2>Metrics</h2> <span style = "font-size:14px;" >CVSS Version: 3.1</span> | <span style = "font-size:14px;" >Base Score: 4.7 MEDIUM</span><br /> <span style = "font-size:14px;" >Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N</span> <br /><br /> <span style = "font-size:14px;" ><strong>l➤ Exploitability Metrics:</strong><br /> <span style = "font-size:14px;" >     Attack Vector (AV)* NETWORK</span> <br /> <span style = "font-size:14px;" >     Attack Complexity (AC)* HIGH</span> <br /> <span style = "font-size:14px;" >     Privileges Required (PR)* NONE</span> <br /> <span style = "font-size:14px;" >     User Interaction (UI)* REQUIRED</span> <br /> <span style = "font-size:14px;" >     Scope (S)* CHANGED</span> <br /><br /> <span style = "font-size:14px;" ><strong>l➤ Impact Metrics:</strong><br /> <span style = "font-size:14px;" >     Confidentiality Impact (C)* LOW</span> <br /> <span style = "font-size:14px;" >     Integrity Impact (I)* LOW</span> <br /> <span style = "font-size:14px;" >     Availability Impact (A)* NONE</span> <br /><br /> <h2>Weakness Enumeration (CWE)</h2> <span style = "font-size:14px;" >CWE-ID: CWE-79</span> <br /> <span style = "font-size:14px;" >CWE Name: CWE-79: Improper Neutralization of Input During Web Page Generation ( Cross-site Scripting )</span> <br /> <span style = "font-size:14px;" >Source: ckeditor</span> <br /><br /> <h2>Common Attack Pattern Enumeration and Classification (CAPEC)</h2> <span style = "font-size:14px;" >CAPEC-ID: </span> <br /> <span style = "font-size:14px;" >CAPEC Description: </span> <br /><br /><br /> <span style = "font-size:12px;"> Source: NVD (National Vulnerability Database). </span> </p> </div> </div> </section> <section class="defend"> <div class="inner-section"> <div class="gridx2"> <div class="grid-text"> <caption> <!-- <h2></h2> <br /> --> </caption> <table class="report-table"> <caption> Last added CVEs </caption> <tr> <td> <a href = ""> <svg xmlns="http://www.w3.org/2000/svg" width="25" height="25" fill="currentColor" class="bi bi-bug" viewBox="0 0 16 16"> <path d="M4.355.522a.5.5 0 0 1 .623.333l.291.956A5 5 0 0 1 8 1c1.007 0 1.946.298 2.731.811l.29-.956a.5.5 0 1 1 .957.29l-.41 1.352A5 5 0 0 1 13 6h.5a.5.5 0 0 0 .5-.5V5a.5.5 0 0 1 1 0v.5A1.5 1.5 0 0 1 13.5 7H13v1h1.5a.5.5 0 0 1 0 1H13v1h.5a1.5 1.5 0 0 1 1.5 1.5v.5a.5.5 0 1 1-1 0v-.5a.5.5 0 0 0-.5-.5H13a5 5 0 0 1-10 0h-.5a.5.5 0 0 0-.5.5v.5a.5.5 0 1 1-1 0v-.5A1.5 1.5 0 0 1 2.5 10H3V9H1.5a.5.5 0 0 1 0-1H3V7h-.5A1.5 1.5 0 0 1 1 5.5V5a.5.5 0 0 1 1 0v.5a.5.5 0 0 0 .5.5H3c0-1.364.547-2.601 1.432-3.503l-.41-1.352a.5.5 0 0 1 .333-.623M4 7v4a4 4 0 0 0 3.5 3.97V7zm4.5 0v7.97A4 4 0 0 0 12 11V7zM12 6a4 4 0 0 0-1.334-2.982A3.98 3.98 0 0 0 8 2a3.98 3.98 0 0 0-2.667 1.018A4 4 0 0 0 4 6z"/> </svg><br /> ▸ CVE-2024-9999 ◂<br /> Discovered: 12/11/2024<br /> Status: PUBLISHED </a> </td> <td> <a href = ""> <svg xmlns="http://www.w3.org/2000/svg" width="25" height="25" fill="currentColor" class="bi bi-bug" viewBox="0 0 16 16"> <path d="M4.355.522a.5.5 0 0 1 .623.333l.291.956A5 5 0 0 1 8 1c1.007 0 1.946.298 2.731.811l.29-.956a.5.5 0 1 1 .957.29l-.41 1.352A5 5 0 0 1 13 6h.5a.5.5 0 0 0 .5-.5V5a.5.5 0 0 1 1 0v.5A1.5 1.5 0 0 1 13.5 7H13v1h1.5a.5.5 0 0 1 0 1H13v1h.5a1.5 1.5 0 0 1 1.5 1.5v.5a.5.5 0 1 1-1 0v-.5a.5.5 0 0 0-.5-.5H13a5 5 0 0 1-10 0h-.5a.5.5 0 0 0-.5.5v.5a.5.5 0 1 1-1 0v-.5A1.5 1.5 0 0 1 2.5 10H3V9H1.5a.5.5 0 0 1 0-1H3V7h-.5A1.5 1.5 0 0 1 1 5.5V5a.5.5 0 0 1 1 0v.5a.5.5 0 0 0 .5.5H3c0-1.364.547-2.601 1.432-3.503l-.41-1.352a.5.5 0 0 1 .333-.623M4 7v4a4 4 0 0 0 3.5 3.97V7zm4.5 0v7.97A4 4 0 0 0 12 11V7zM12 6a4 4 0 0 0-1.334-2.982A3.98 3.98 0 0 0 8 2a3.98 3.98 0 0 0-2.667 1.018A4 4 0 0 0 4 6z"/> </svg><br /> ▸ CVE-2024-9997 ◂<br /> Discovered: 29/10/2024<br /> Status: PUBLISHED </a> </td> <td> <a href = ""> <svg xmlns="http://www.w3.org/2000/svg" width="25" height="25" fill="currentColor" class="bi bi-bug" viewBox="0 0 16 16"> <path d="M4.355.522a.5.5 0 0 1 .623.333l.291.956A5 5 0 0 1 8 1c1.007 0 1.946.298 2.731.811l.29-.956a.5.5 0 1 1 .957.29l-.41 1.352A5 5 0 0 1 13 6h.5a.5.5 0 0 0 .5-.5V5a.5.5 0 0 1 1 0v.5A1.5 1.5 0 0 1 13.5 7H13v1h1.5a.5.5 0 0 1 0 1H13v1h.5a1.5 1.5 0 0 1 1.5 1.5v.5a.5.5 0 1 1-1 0v-.5a.5.5 0 0 0-.5-.5H13a5 5 0 0 1-10 0h-.5a.5.5 0 0 0-.5.5v.5a.5.5 0 1 1-1 0v-.5A1.5 1.5 0 0 1 2.5 10H3V9H1.5a.5.5 0 0 1 0-1H3V7h-.5A1.5 1.5 0 0 1 1 5.5V5a.5.5 0 0 1 1 0v.5a.5.5 0 0 0 .5.5H3c0-1.364.547-2.601 1.432-3.503l-.41-1.352a.5.5 0 0 1 .333-.623M4 7v4a4 4 0 0 0 3.5 3.97V7zm4.5 0v7.97A4 4 0 0 0 12 11V7zM12 6a4 4 0 0 0-1.334-2.982A3.98 3.98 0 0 0 8 2a3.98 3.98 0 0 0-2.667 1.018A4 4 0 0 0 4 6z"/> </svg><br /> ▸ CVE-2024-9996 ◂<br /> Discovered: 29/10/2024<br /> Status: PUBLISHED </a> </td> </tr> </table> <caption> <br /><br /><br /> <p class="vuln-info"> <strong>Tags:</strong><br /> CVE-2023-28439 Vulnerability Details </p> </caption> <br /> </div> </div> </div> </section> <footer> <div class="footer-logo"> <svg xmlns="http://www.w3.org/2000/svg" width="58" height="58" fill="#f18a3b" class="bi bi-cloud-download" viewBox="0 0 16 16"> <path d="M4.406 1.342A5.53 5.53 0 0 1 8 0c2.69 0 4.923 2 5.166 4.579C14.758 4.804 16 6.137 16 7.773 16 9.569 14.502 11 12.687 11H10a.5.5 0 0 1 0-1h2.688C13.979 10 15 8.988 15 7.773c0-1.216-1.02-2.228-2.313-2.228h-.5v-.5C12.188 2.825 10.328 1 8 1a4.53 4.53 0 0 0-2.941 1.1c-.757.652-1.153 1.438-1.153 2.055v.448l-.445.049C2.064 4.805 1 5.952 1 7.318 1 8.785 2.23 10 3.781 10H6a.5.5 0 0 1 0 1H3.781C1.708 11 0 9.366 0 7.318c0-1.763 1.266-3.223 2.942-3.593.143-.863.698-1.723 1.464-2.383"/> <path d="M7.646 15.854a.5.5 0 0 0 .708 0l3-3a.5.5 0 0 0-.708-.708L8.5 14.293V5.5a.5.5 0 0 0-1 0v8.793l-2.146-2.147a.5.5 0 0 0-.708.708z"/> </svg> <span style = "font-size: 22px; color: #fff; padding: 0 10px;"> Free Software Downloads, News and Reviews </span> </div> <div class="footer-inner"> <div class="footer-column"> <strong>Info</strong> <ul> </ul> </div> <div class="footer-column"> <strong>Legal</strong> <ul> <li><a title = "GDPR" href="#">GDPR</a></li> <li><a title = "Contact" href="https://freedownloadsnow.com/contact">Contact</a></li> <li><a title = "ToS" href="#">ToS</a></li> <li><a title = "Sitemap" href="https://freedownloadsnow.com/sitemap">Sitemap</a></li> </ul> </div> <div class="footer-column"> <strong>Partners</strong> <ul> <li> <a target="_blank" title = "Curs Cybersecurity" href="https://www.curs-cybersecurity.ro/"> <svg xmlns="http://www.w3.org/2000/svg" width="15" height="15" fill="currentColor" class="bi bi-shield-fill-check" viewBox="0 0 16 16"> <path fill-rule="evenodd" d="M8 0c-.69 0-1.843.265-2.928.56-1.11.3-2.229.655-2.887.87a1.54 1.54 0 0 0-1.044 1.262c-.596 4.477.787 7.795 2.465 9.99a11.8 11.8 0 0 0 2.517 2.453c.386.273.744.482 1.048.625.28.132.581.24.829.24s.548-.108.829-.24a7 7 0 0 0 1.048-.625 11.8 11.8 0 0 0 2.517-2.453c1.678-2.195 3.061-5.513 2.465-9.99a1.54 1.54 0 0 0-1.044-1.263 63 63 0 0 0-2.887-.87C9.843.266 8.69 0 8 0m2.146 5.146a.5.5 0 0 1 .708.708l-3 3a.5.5 0 0 1-.708 0l-1.5-1.5a.5.5 0 1 1 .708-.708L7.5 7.793z"></path> </svg> Curs-cybersecurity.ro </a> </li> </ul> </div> <div class="footer-column"> <strong>Last News</strong> <ul> <li> <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-calendar" viewBox="0 0 16 16"> <path d="M3.5 0a.5.5 0 0 1 .5.5V1h8V.5a.5.5 0 0 1 1 0V1h1a2 2 0 0 1 2 2v11a2 2 0 0 1-2 2H2a2 2 0 0 1-2-2V3a2 2 0 0 1 2-2h1V.5a.5.5 0 0 1 .5-.5M1 4v10a1 1 0 0 0 1 1h12a1 1 0 0 0 1-1V4z"/> </svg> 01/07/2025 <a title = "ArcSight prepares for future at user conference post HP acquisition" href ="https://freedownloadsnow.com/news/news-ArcSight-prepares-for-future-at-user-conference-post-HP-acquisition-id29445"> ArcSight prepares for ... </a><br> <li> </ul> <ul> <li> <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-calendar" viewBox="0 0 16 16"> <path d="M3.5 0a.5.5 0 0 1 .5.5V1h8V.5a.5.5 0 0 1 1 0V1h1a2 2 0 0 1 2 2v11a2 2 0 0 1-2 2H2a2 2 0 0 1-2-2V3a2 2 0 0 1 2-2h1V.5a.5.5 0 0 1 .5-.5M1 4v10a1 1 0 0 0 1 1h12a1 1 0 0 0 1-1V4z"/> </svg> 01/07/2025 <a title = "Samsung Epic 4G: First To Use Media Hub" href ="https://freedownloadsnow.com/news/news-Samsung-Epic-4G:-First-To-Use-Media-Hub-id29444"> Samsung Epic 4G: ... </a><br> <li> </ul> <ul> <li> <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-calendar" viewBox="0 0 16 16"> <path d="M3.5 0a.5.5 0 0 1 .5.5V1h8V.5a.5.5 0 0 1 1 0V1h1a2 2 0 0 1 2 2v11a2 2 0 0 1-2 2H2a2 2 0 0 1-2-2V3a2 2 0 0 1 2-2h1V.5a.5.5 0 0 1 .5-.5M1 4v10a1 1 0 0 0 1 1h12a1 1 0 0 0 1-1V4z"/> </svg> 01/07/2025 <a title = "Many third-party software fails security tests" href ="https://freedownloadsnow.com/news/news-Many-third-party-software-fails-security-tests-id29443"> Many third-party software ... </a><br> <li> </ul> </div> </div> <div> <div class="footer-social"> <a class="facebook" href="#">facebook</a> <a class="twitter" href="#">twitter</a> <a class="youtube" href="#">youtube</a> <a class="linkedin" href="#">linkedin</a> </div> <p class="copyright"><span>Copyright © 2025 Free Downloads Now</span></p> </div> </footer> </body> </html>