CKEditor and Angular Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in CKEditor version 46.1.0 and Angular version 18.0.0. This vulnerability allows attackers to execute arbitrary code in the context of a user's browser by injecting a crafted payload into a CKEditor field. The issue arises when the link feature in CKEditor is used to insert a link containing JavaScript, which is then executed in the browser of the user viewing the content.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a CKEditor field configured with AngularJS that displays results on the same page. Once the field is set up, inject a link containing a JavaScript payload, such as 'javascript:alert('xss');'. Although AngularJS sanitizes this payload by adding an 'unsafe' keyword, the 'data' keyword is not blocked. This allows for the injection of a link with a 'data:text/html' payload containing a script tag, which can bypass Angular's sanitization and execute the JavaScript when the link is opened in a new tab.