ubuntu-cve-2023-28439
Vulnerability from osv_ubuntu
Published
2023-03-22 21:15
Modified
2026-05-20 15:02
Summary
Details

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than <textarea> as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the sandbox attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the config.iframe_attributes option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the config.embed_keepOriginalContent option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.


{
  "affected": [
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ckeditor",
            "binary_version": "4.5.7+dfsg-2ubuntu0.16.04.1~esm3"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:16.04:LTS",
        "name": "ckeditor",
        "purl": "pkg:deb/ubuntu/ckeditor@4.5.7+dfsg-2ubuntu0.16.04.1~esm3?arch=source\u0026distro=esm-apps/xenial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.4.4+dfsg1-3",
        "4.5.6+dfsg-1",
        "4.5.7+dfsg-1",
        "4.5.7+dfsg-2",
        "4.5.7+dfsg-2ubuntu0.16.04.1~esm1",
        "4.5.7+dfsg-2ubuntu0.16.04.1~esm2",
        "4.5.7+dfsg-2ubuntu0.16.04.1~esm3"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ldap-account-manager",
            "binary_version": "5.2-1ubuntu1"
          },
          {
            "binary_name": "ldap-account-manager-lamdaemon",
            "binary_version": "5.2-1ubuntu1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:16.04:LTS",
        "name": "ldap-account-manager",
        "purl": "pkg:deb/ubuntu/ldap-account-manager@5.2-1ubuntu1?arch=source\u0026distro=xenial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.9-1",
        "5.1-1",
        "5.2-1",
        "5.2-1ubuntu1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "request-tracker4",
            "binary_version": "4.2.12-5"
          },
          {
            "binary_name": "rt4-apache2",
            "binary_version": "4.2.12-5"
          },
          {
            "binary_name": "rt4-clients",
            "binary_version": "4.2.12-5"
          },
          {
            "binary_name": "rt4-db-mysql",
            "binary_version": "4.2.12-5"
          },
          {
            "binary_name": "rt4-db-postgresql",
            "binary_version": "4.2.12-5"
          },
          {
            "binary_name": "rt4-db-sqlite",
            "binary_version": "4.2.12-5"
          },
          {
            "binary_name": "rt4-doc-html",
            "binary_version": "4.2.12-5"
          },
          {
            "binary_name": "rt4-fcgi",
            "binary_version": "4.2.12-5"
          },
          {
            "binary_name": "rt4-standalone",
            "binary_version": "4.2.12-5"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:16.04:LTS",
        "name": "request-tracker4",
        "purl": "pkg:deb/ubuntu/request-tracker4@4.2.12-5?arch=source\u0026distro=xenial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.2.11-2",
        "4.2.12-3",
        "4.2.12-4",
        "4.2.12-5"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ckeditor",
            "binary_version": "4.5.7+dfsg-2ubuntu0.18.04.1+esm2"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:18.04:LTS",
        "name": "ckeditor",
        "purl": "pkg:deb/ubuntu/ckeditor@4.5.7+dfsg-2ubuntu0.18.04.1+esm2?arch=source\u0026distro=esm-apps/bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.5.7+dfsg-2",
        "4.5.7+dfsg-2ubuntu0.18.04.1",
        "4.5.7+dfsg-2ubuntu0.18.04.1+esm1",
        "4.5.7+dfsg-2ubuntu0.18.04.1+esm2"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ckeditor3",
            "binary_version": "3.6.6.1+dfsg-1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:18.04:LTS",
        "name": "ckeditor3",
        "purl": "pkg:deb/ubuntu/ckeditor3@3.6.6.1+dfsg-1?arch=source\u0026distro=bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.6.6.1+dfsg-1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ldap-account-manager",
            "binary_version": "6.2-1"
          },
          {
            "binary_name": "ldap-account-manager-lamdaemon",
            "binary_version": "6.2-1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:18.04:LTS",
        "name": "ldap-account-manager",
        "purl": "pkg:deb/ubuntu/ldap-account-manager@6.2-1?arch=source\u0026distro=bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "5.7-1",
        "6.1-1",
        "6.2-1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "request-tracker4",
            "binary_version": "4.4.2-2ubuntu0.1~esm1"
          },
          {
            "binary_name": "rt4-apache2",
            "binary_version": "4.4.2-2ubuntu0.1~esm1"
          },
          {
            "binary_name": "rt4-clients",
            "binary_version": "4.4.2-2ubuntu0.1~esm1"
          },
          {
            "binary_name": "rt4-db-mysql",
            "binary_version": "4.4.2-2ubuntu0.1~esm1"
          },
          {
            "binary_name": "rt4-db-postgresql",
            "binary_version": "4.4.2-2ubuntu0.1~esm1"
          },
          {
            "binary_name": "rt4-db-sqlite",
            "binary_version": "4.4.2-2ubuntu0.1~esm1"
          },
          {
            "binary_name": "rt4-doc-html",
            "binary_version": "4.4.2-2ubuntu0.1~esm1"
          },
          {
            "binary_name": "rt4-fcgi",
            "binary_version": "4.4.2-2ubuntu0.1~esm1"
          },
          {
            "binary_name": "rt4-standalone",
            "binary_version": "4.4.2-2ubuntu0.1~esm1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:18.04:LTS",
        "name": "request-tracker4",
        "purl": "pkg:deb/ubuntu/request-tracker4@4.4.2-2ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.4.1-5",
        "4.4.2-1",
        "4.4.2-2",
        "4.4.2-2ubuntu0.1~esm1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ckeditor",
            "binary_version": "4.12.1+dfsg-1ubuntu0.1+esm2"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:20.04:LTS",
        "name": "ckeditor",
        "purl": "pkg:deb/ubuntu/ckeditor@4.12.1+dfsg-1ubuntu0.1+esm2?arch=source\u0026distro=esm-apps/focal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.11.1+dfsg-1",
        "4.12.1+dfsg-1",
        "4.12.1+dfsg-1ubuntu0.1",
        "4.12.1+dfsg-1ubuntu0.1+esm1",
        "4.12.1+dfsg-1ubuntu0.1+esm2"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ckeditor3",
            "binary_version": "3.6.6.1+dfsg-4"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:20.04:LTS",
        "name": "ckeditor3",
        "purl": "pkg:deb/ubuntu/ckeditor3@3.6.6.1+dfsg-4?arch=source\u0026distro=focal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.6.6.1+dfsg-3",
        "3.6.6.1+dfsg-4"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ldap-account-manager",
            "binary_version": "6.7-1"
          },
          {
            "binary_name": "ldap-account-manager-lamdaemon",
            "binary_version": "6.7-1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:20.04:LTS",
        "name": "ldap-account-manager",
        "purl": "pkg:deb/ubuntu/ldap-account-manager@6.7-1?arch=source\u0026distro=focal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "6.7-1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "request-tracker4",
            "binary_version": "4.4.3-2+deb10u3build0.20.04.1"
          },
          {
            "binary_name": "rt4-apache2",
            "binary_version": "4.4.3-2+deb10u3build0.20.04.1"
          },
          {
            "binary_name": "rt4-clients",
            "binary_version": "4.4.3-2+deb10u3build0.20.04.1"
          },
          {
            "binary_name": "rt4-db-mysql",
            "binary_version": "4.4.3-2+deb10u3build0.20.04.1"
          },
          {
            "binary_name": "rt4-db-postgresql",
            "binary_version": "4.4.3-2+deb10u3build0.20.04.1"
          },
          {
            "binary_name": "rt4-db-sqlite",
            "binary_version": "4.4.3-2+deb10u3build0.20.04.1"
          },
          {
            "binary_name": "rt4-doc-html",
            "binary_version": "4.4.3-2+deb10u3build0.20.04.1"
          },
          {
            "binary_name": "rt4-fcgi",
            "binary_version": "4.4.3-2+deb10u3build0.20.04.1"
          },
          {
            "binary_name": "rt4-standalone",
            "binary_version": "4.4.3-2+deb10u3build0.20.04.1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:20.04:LTS",
        "name": "request-tracker4",
        "purl": "pkg:deb/ubuntu/request-tracker4@4.4.3-2+deb10u3build0.20.04.1?arch=source\u0026distro=focal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.4.3-2",
        "4.4.3-2+deb10u3build0.20.04.1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ckeditor3",
            "binary_version": "3.6.6.1+dfsg-7"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:22.04:LTS",
        "name": "ckeditor3",
        "purl": "pkg:deb/ubuntu/ckeditor3@3.6.6.1+dfsg-7?arch=source\u0026distro=jammy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.6.6.1+dfsg-7"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ldap-account-manager",
            "binary_version": "7.7-1"
          },
          {
            "binary_name": "ldap-account-manager-lamdaemon",
            "binary_version": "7.7-1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:22.04:LTS",
        "name": "ldap-account-manager",
        "purl": "pkg:deb/ubuntu/ldap-account-manager@7.7-1?arch=source\u0026distro=jammy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "7.5-1",
        "7.7-1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "request-tracker4",
            "binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
          },
          {
            "binary_name": "rt4-apache2",
            "binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
          },
          {
            "binary_name": "rt4-clients",
            "binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
          },
          {
            "binary_name": "rt4-db-mysql",
            "binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
          },
          {
            "binary_name": "rt4-db-postgresql",
            "binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
          },
          {
            "binary_name": "rt4-db-sqlite",
            "binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
          },
          {
            "binary_name": "rt4-doc-html",
            "binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
          },
          {
            "binary_name": "rt4-fcgi",
            "binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
          },
          {
            "binary_name": "rt4-standalone",
            "binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:22.04:LTS",
        "name": "request-tracker4",
        "purl": "pkg:deb/ubuntu/request-tracker4@4.4.4+dfsg-2ubuntu1.22.04.1?arch=source\u0026distro=jammy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.4.4+dfsg-2ubuntu1",
        "4.4.4+dfsg-2ubuntu1.22.04.1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ckeditor",
            "binary_version": "4.16.2+dfsg-1ubuntu0.1~esm2"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:22.04:LTS",
        "name": "ckeditor",
        "purl": "pkg:deb/ubuntu/ckeditor@4.16.2+dfsg-1ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/jammy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.16.0+dfsg-2",
        "4.16.2+dfsg-1",
        "4.16.2+dfsg-1ubuntu0.1~esm1",
        "4.16.2+dfsg-1ubuntu0.1~esm2"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ckeditor3",
            "binary_version": "3.6.6.1+dfsg-7"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:24.04:LTS",
        "name": "ckeditor3",
        "purl": "pkg:deb/ubuntu/ckeditor3@3.6.6.1+dfsg-7?arch=source\u0026distro=noble"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.6.6.1+dfsg-7"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ldap-account-manager",
            "binary_version": "8.5-1"
          },
          {
            "binary_name": "ldap-account-manager-lamdaemon",
            "binary_version": "8.5-1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:24.04:LTS",
        "name": "ldap-account-manager",
        "purl": "pkg:deb/ubuntu/ldap-account-manager@8.5-1?arch=source\u0026distro=noble"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "8.3-1",
        "8.5-1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "request-tracker4",
            "binary_version": "4.4.7+dfsg-1"
          },
          {
            "binary_name": "rt4-apache2",
            "binary_version": "4.4.7+dfsg-1"
          },
          {
            "binary_name": "rt4-clients",
            "binary_version": "4.4.7+dfsg-1"
          },
          {
            "binary_name": "rt4-db-mysql",
            "binary_version": "4.4.7+dfsg-1"
          },
          {
            "binary_name": "rt4-db-postgresql",
            "binary_version": "4.4.7+dfsg-1"
          },
          {
            "binary_name": "rt4-db-sqlite",
            "binary_version": "4.4.7+dfsg-1"
          },
          {
            "binary_name": "rt4-doc-html",
            "binary_version": "4.4.7+dfsg-1"
          },
          {
            "binary_name": "rt4-fcgi",
            "binary_version": "4.4.7+dfsg-1"
          },
          {
            "binary_name": "rt4-standalone",
            "binary_version": "4.4.7+dfsg-1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:24.04:LTS",
        "name": "request-tracker4",
        "purl": "pkg:deb/ubuntu/request-tracker4@4.4.7+dfsg-1?arch=source\u0026distro=noble"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.4.4+dfsg-2ubuntu1",
        "4.4.4+dfsg-2ubuntu2",
        "4.4.7+dfsg-1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ldap-account-manager",
            "binary_version": "9.0-1"
          },
          {
            "binary_name": "ldap-account-manager-lamdaemon",
            "binary_version": "9.0-1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:25.10",
        "name": "ldap-account-manager",
        "purl": "pkg:deb/ubuntu/ldap-account-manager@9.0-1?arch=source\u0026distro=questing"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "9.0-1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "request-tracker4",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-apache2",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-clients",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-db-mysql",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-db-postgresql",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-db-sqlite",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-doc-html",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-fcgi",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-standalone",
            "binary_version": "4.4.7+dfsg-4syncable1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:25.10",
        "name": "request-tracker4",
        "purl": "pkg:deb/ubuntu/request-tracker4@4.4.7+dfsg-4syncable1?arch=source\u0026distro=questing"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.4.7+dfsg-4syncable1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "ldap-account-manager",
            "binary_version": "9.0-1build1"
          },
          {
            "binary_name": "ldap-account-manager-lamdaemon",
            "binary_version": "9.0-1build1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:26.04:LTS",
        "name": "ldap-account-manager",
        "purl": "pkg:deb/ubuntu/ldap-account-manager@9.0-1build1?arch=source\u0026distro=resolute"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "9.0-1",
        "9.0-1build1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "request-tracker4",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-apache2",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-clients",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-db-mysql",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-db-postgresql",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-db-sqlite",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-doc-html",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-fcgi",
            "binary_version": "4.4.7+dfsg-4syncable1"
          },
          {
            "binary_name": "rt4-standalone",
            "binary_version": "4.4.7+dfsg-4syncable1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:26.04:LTS",
        "name": "request-tracker4",
        "purl": "pkg:deb/ubuntu/request-tracker4@4.4.7+dfsg-4syncable1?arch=source\u0026distro=resolute"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.4.7+dfsg-4syncable1"
      ]
    }
  ],
  "aliases": [],
  "details": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `\u003ctextarea\u003e` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.",
  "id": "UBUNTU-CVE-2023-28439",
  "modified": "2026-05-20T15:02:33Z",
  "published": "2023-03-22T21:15:00Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2023-28439"
    },
    {
      "type": "REPORT",
      "url": "https://ckeditor.com/cke4/addon/iframe"
    },
    {
      "type": "REPORT",
      "url": "https://ckeditor.com/cke4/addon/embed"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g"
    },
    {
      "type": "REPORT",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28439"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "medium",
      "type": "Ubuntu"
    }
  ],
  "upstream": [
    "CVE-2023-28439"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…