CVE-2023-4771: Cross-Site Scripting vulnerability in CKSource CKEditor

Published Nov 16, 2023
·
Updated

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-wh5w-82f3-wrxh. This link is maintained to preserve external references.

Original Description A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information.

Other sources

Affected packages The vulnerability has been discovered in the AJAX sample available at the samples/old/ajax.html file location. All integrators that use that sample in the production code can be affected.

Impact

A potential vulnerability has been discovered in one of CKEditor's 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. It affects all users using the CKEditor 4 at version < 4.24.0-lts where samples/old/ajax.html is used in a production environment.

Patches The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.

For more information Email us at security@cksource.com if you have any questions or comments about this advisory.

Acknowledgements The CKEditor 4 team would like to thank Rafael Pedrero and INCIBE (original report) for recognizing and reporting this vulnerability.

GitHub

A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information.

Affected Software

3 affected componentsFixes available
npm/ckeditor4<=4.15.1
npm/ckeditor4<4.24.0-lts
4.24.0-lts
CKSource Ckeditor Wordpress<=4.15.1

Event History

Nov 16, 2023
CVE Published
02:08 PM
Data Sourced
02:08 PM
DescriptionSeverityWeakness
Advisory Published
03:30 PM
Feb 7, 2024
Advisory Published
via GitHub·05:34 PM
Data Sourced
via GitHub·05:34 PM
DescriptionSeverityWeaknessAffected Software
Withdrawn
via GitHub·06:20 PM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID of the Cross-Site Scripting vulnerability in CKSource CKEditor?

The vulnerability ID is CVE-2023-4771.

2

What is the severity rating of CVE-2023-4771?

The severity rating of CVE-2023-4771 is 6.1 (Medium).

3

Which versions of CKSource CKEditor are affected by CVE-2023-4771?

Versions 4.15.1 and earlier of CKSource CKEditor are affected by CVE-2023-4771.

4

How can an attacker exploit CVE-2023-4771?

An attacker can exploit CVE-2023-4771 by sending malicious javascript code through the /ckeditor/samples/old/ajax.html file.

5

How can I fix the Cross-Site Scripting vulnerability in CKSource CKEditor (CVE-2023-4771)?

To fix the vulnerability, it is recommended to upgrade CKSource CKEditor to version 4.15.2 or later.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203