CKEditor 5 and CKEditor 5 Clipboard Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability has been identified in CKEditor 5 and the CKEditor 5 Clipboard package, affecting versions 46.0.0 through 46.0.2, as well as 44.2.0 through 45.2.1. The vulnerability allows for unauthorized execution of JavaScript code if an attacker can insert malicious content into the editor, which could occur under specific configuration conditions. This issue arises in installations where the HTML embed plugin is enabled or where a custom plugin introduces an editable element with the RawElement view enabled.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting (XSS) attacks, enabling the execution of malicious JavaScript in the victim's browser.

Reproduction

To reproduce this vulnerability, enable the HTML embed plugin or a custom plugin that introduces an editable element with the RawElement view. Then, insert malicious content, such as an image tag with an 'onerror' JavaScript handler, into the editor. The XSS payload will be executed when the content is processed by the 'viewToPlainText' utility.

Remediation

Users can upgrade to CKEditor 5 versions 46.0.3 or 45.2.2 to address this vulnerability.