DescriptionCKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1034481, 1059301

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ckeditor (PTS)buster4.11.1+dfsg-1vulnerable
sid, trixie4.22.1+dfsg1-2fixed
ckeditor3 (PTS)buster3.6.6.1+dfsg-3vulnerable
sid, trixie, bookworm, bullseye3.6.6.1+dfsg-7vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[bookworm] - ckeditor <no-dsa> (Minor issue)
[bullseye] - ckeditor <no-dsa> (Minor issue)
[buster] - ckeditor <no-dsa> (Minor issue)
[bookworm] - ckeditor3 <no-dsa> (Minor issue)
[bullseye] - ckeditor3 <no-dsa> (Minor issue)
[buster] - ckeditor3 <end-of-life> (No longer supported in LTS) (4.21.0)

Search for package or bug name: Reporting problems