Version 4.25.0
ckeditor4
Official distribution releases of CKEditor 4.
Install Instructions
npm install ckeditor4
Current Version Release Date August 21, 2024
Language JavaScript/TypeScript
Package URL (purl) pkg:npm/ckeditor4@4.25.0
Find ckeditor4 vulnerabilities in your supply chain.
ckeditor4 Vulnerabilities
Sort by
CVE (Latest)
CVE (Latest)
-
CVE (Latest)
-
CVE (Oldest)
-
CVSS Score (Highest)
-
CVSS Score (Lowest)
CVE  |
CVSS Score |
CWE(s) |
EPSS Score |
EPSS % |
Impacted Versions |
|---|---|---|---|---|---|
| CVE-2020-27193 | Medium 6.1 | CWE-79 | 0.00214 | 0.60193 |
|
| CVE-2021-26272 | Medium 6.5 | CWE-829 | 0.00196 | 0.58307 |
|
| CVE-2021-32808 | Medium 5.4 | CWE-79 | 0.00146 | 0.51893 |
|
| CVE-2021-32809 | Medium 5.4 | CWE-94, CWE-79 | 0.00163 | 0.54131 |
|
| CVE-2021-33829 | Medium 6.1 | CWE-79 | 0.0054 | 0.77976 |
|
| CVE-2021-37695 | Medium 5.4 | CWE-79 | 0.00225 | 0.61517 |
|
| CVE-2021-41164 | Medium 5.4 | CWE-79 | 0.00448 | 0.75775 |
|
| CVE-2021-41165 | Medium 5.4 | CWE-79 | 0.00299 | 0.70232 |
|
| CVE-2022-24728 | Medium 5.4 | CWE-79 | 0.00158 | 0.53399 |
|
| CVE-2023-4771 | Medium 6.1 | CWE-79 | 0.00063 | 0.28832 |
|
| CVE-2024-24815 | Medium 6.1 | CWE-79 | 0.00059 | 0.26546 |
|
| CVE-2024-24816 | Medium 6.1 | CWE-79 | 0.00052 | 0.22097 |
|
| CVE-2024-43407 | Medium 6.1 | CWE-79 | 0.00052 | 0.22067 |
|
| CVE-2020-9281 | Medium 6.1 | CWE-79 | 0.00163 | 0.54134 |
|
| CVE-2024-43411 | Low 3.1 | CWE-79 | 0.00043 | 0.10406 |
|
ckeditor4 Vulnerability Remediation Guidance
| CVE | Description | Full list of Impacted Versions | Fix |
|---|---|---|---|
| CVE-2024-43411 | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. The issue impacts only editor instances with enabled version notifications. Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4 LTS, it is highly unlikely that you are affected by this vulnerability. If you are unsure, please contact us. The fix is available in version 4.25.0-lts. | 4.22.1, 4.23.0, 4.22.0, 4.24.0 | Minor → 4.25.0 |
| CVE-2024-43407 | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts. | 4.14.0, 4.15.1, 4.16.0, 4.16.1, 4.15.0, 4.13.1, 4.14.1, 4.13.0 (Show all) | Minor → 4.25.0 |
| CVE-2024-24816 | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts. | 4.14.0, 4.15.1, 4.16.0, 4.16.1, 4.15.0, 4.13.1, 4.14.1, 4.13.0 (Show all) | Minor → 4.25.0 |
| CVE-2024-24815 | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts. | 4.14.0, 4.15.1, 4.16.0, 4.16.1, 4.15.0, 4.13.1, 4.14.1, 4.13.0 (Show all) | Minor → 4.25.0 |
| CVE-2023-4771 | A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information. | 4.14.0, 4.15.1, 4.16.0, 4.16.1, 4.15.0, 4.13.1, 4.14.1, 4.13.0 (Show all) | Minor → 4.25.0 |
| CVE-2022-24728 | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds. | 4.14.0, 4.15.1, 4.16.0, 4.16.1, 4.15.0, 4.13.1, 4.14.1, 4.13.0 (Show all) | Minor → 4.25.0 |
| CVE-2021-41165 | CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0. | 4.14.0, 4.15.1, 4.16.0, 4.16.1, 4.15.0, 4.13.1, 4.14.1, 4.13.0 (Show all) | Minor → 4.25.0 |
| CVE-2021-41164 | CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0. | 4.14.0, 4.15.1, 4.16.0, 4.16.1, 4.15.0, 4.13.1, 4.14.1, 4.13.0 (Show all) | Minor → 4.25.0 |
| CVE-2021-37695 | ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2. | 4.14.0, 4.15.1, 4.16.0, 4.16.1, 4.15.0, 4.13.1, 4.14.1, 4.13.0 | Minor → 4.25.0 |
| CVE-2021-33829 | A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. | 4.14.0, 4.15.1, 4.16.0, 4.15.0, 4.14.1 | Minor → 4.25.0 |
| CVE-2021-32809 | ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2. | 4.14.0, 4.15.1, 4.16.0, 4.16.1, 4.15.0, 4.13.1, 4.14.1, 4.13.0 | Minor → 4.25.0 |
| CVE-2021-32808 | ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2. | 4.14.0, 4.15.1, 4.16.0, 4.16.1, 4.15.0, 4.13.1, 4.14.1, 4.13.0 | Minor → 4.25.0 |
| CVE-2021-26272 | It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin). | 4.14.0, 4.15.1, 4.15.0, 4.13.1, 4.14.1, 4.13.0 | Minor → 4.25.0 |
| CVE-2020-9281 | A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax). | 4.13.1, 4.13.0 | Minor → 4.25.0 |
| CVE-2020-27193 | A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs. | 4.14.0, 4.15.0, 4.13.1, 4.14.1, 4.13.0 | Minor → 4.25.0 |
Instantly see if these ckeditor4 vulnerabilities affect your code.