{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45613", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-02T16:00:02.425Z", "datePublished": "2024-09-25T13:27:03.546Z", "dateUpdated": "2024-10-01T21:20:44.633Z"}, "containers": {"cna": {"title": "CKEditor 5 has Cross-site Scripting vulnerability in the clipboard package", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-rgg8-g5x8-wr9v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-rgg8-g5x8-wr9v"}, {"name": "https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1"}], "affected": [{"vendor": "ckeditor", "product": "ckeditor5", "versions": [{"version": ">= 40.0.0, < 43.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-01T21:20:44.633Z"}, "descriptions": [{"lang": "en", "value": "CKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 and prior to version 43.1.1, a Cross-Site Scripting (XSS) vulnerability is present in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability only affects installations where the Block Toolbar plugin is enabled and either the General HTML Support (with a configuration that permits unsafe markup) or the HTML Embed plugin is also enabled. A fix for the problem is available in version 43.1.1. As a workaround, one may disable the block toolbar plugin."}], "source": {"advisory": "GHSA-rgg8-g5x8-wr9v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-25T14:23:40.264051Z", "id": "CVE-2024-45613", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T14:23:49.048Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45613", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-25T14:23:40.264051Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T14:23:45.824Z"}}], "cna": {"title": "CKEditor 5 has Cross-site Scripting vulnerability in the clipboard package", "source": {"advisory": "GHSA-rgg8-g5x8-wr9v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ckeditor", "product": "ckeditor5", "versions": [{"status": "affected", "version": ">= 40.0.0, < 43.1.1"}]}], "references": [{"url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-rgg8-g5x8-wr9v", "name": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-rgg8-g5x8-wr9v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1", "name": "https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 and prior to version 43.1.1, a Cross-Site Scripting (XSS) vulnerability is present in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability only affects installations where the Block Toolbar plugin is enabled and either the General HTML Support (with a configuration that permits unsafe markup) or the HTML Embed plugin is also enabled. A fix for the problem is available in version 43.1.1. As a workaround, one may disable the block toolbar plugin."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-01T21:20:44.633Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45613", "state": "PUBLISHED", "dateUpdated": "2024-10-01T21:20:44.633Z", "dateReserved": "2024-09-02T16:00:02.425Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-25T13:27:03.546Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ckeditor:ckeditor5:*:*:*:*:*:*:*:*", "matchCriteriaId": "39B7461E-12D2-4069-9B0A-365BF11B83AD", "versionEndExcluding": "43.1.1", "versionStartIncluding": "40.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 and prior to version 43.1.1, a Cross-Site Scripting (XSS) vulnerability is present in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability only affects installations where the Block Toolbar plugin is enabled and either the General HTML Support (with a configuration that permits unsafe markup) or the HTML Embed plugin is also enabled. A fix for the problem is available in version 43.1.1. As a workaround, one may disable the block toolbar plugin."}, {"lang": "es", "value": "CKEditor 5 es un editor de texto enriquecido de JavaScript. A partir de la versi\u00f3n 40.0.0 y antes de la versi\u00f3n 43.1.1, existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el paquete de portapapeles de CKEditor 5. Esta vulnerabilidad podr\u00eda ser activada por una acci\u00f3n espec\u00edfica del usuario, lo que llevar\u00eda a la ejecuci\u00f3n no autorizada de c\u00f3digo JavaScript, si el atacante lograra insertar un contenido malicioso en el editor, lo que podr\u00eda suceder con una configuraci\u00f3n de editor muy espec\u00edfica. Esta vulnerabilidad solo afecta a las instalaciones donde est\u00e1 habilitado el complemento Block Toolbar y tambi\u00e9n est\u00e1 habilitado General HTML Support (con una configuraci\u00f3n que permite marcado no seguro) o el complemento HTML Embed. Hay una soluci\u00f3n para el problema disponible en la versi\u00f3n 43.1.1. Como workaround, se puede deshabilitar el complemento Block Toolbar."}], "id": "CVE-2024-45613", "lastModified": "2024-10-01T22:15:02.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "LOW", "subsequentSystemIntegrity": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-25T14:15:05.303", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-rgg8-g5x8-wr9v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}