#VU31182 Cross-site scripting in CKEditor - CVE-2018-17960


| Updated: 2020-07-17

Vulnerability identifier: #VU31182

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-17960

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CKEditor
Web applications / JS libraries

Vendor: CKSource

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.

Mitigation
Install update from vendor's website.

Vulnerable software versions

CKEditor: 4.0.0 - 4.10.1

External links
https://www.securityfocus.com/bid/109205
https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/
https://ckeditor.com/cke4/release/CKEditor-4.11.0
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Engineering Requirements Management DOORS/DWA
Cross-site scripting in otrs (Alpine package)
Cross-site scripting in CKSource CKEditor
Multiple vulnerabilities in IBM Engineering Workflow Management (EWM)