CVE-2024-43411

Name	CVE-2024-43411
Description	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. The issue impacts only editor instances with enabled version notifications. Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4 LTS, it is highly unlikely that you are affected by this vulnerability. If you are unsure, please contact us. The fix is available in version 4.25.0-lts.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ckeditor (PTS)	bullseye	4.16.0+dfsg-2	fixed
	bookworm	4.19.1+dfsg-1	fixed
	sid, trixie	4.22.1+dfsg1-2	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency
ckeditor	source	bullseye	(not affected)
ckeditor	source	bookworm	(not affected)
ckeditor	source	(unstable)	(unfixed)	unimportant

Notes

[bookworm] - ckeditor <not-affected> (Vulnerable code not present)
[bullseye] - ckeditor <not-affected> (Vulnerable code not present)
Introduced after: https://github.com/ckeditor/ckeditor4/commit/b7b2f4748be71eb01c2f99afefaff002f5061a3e (4.22.0)
Fixed by: https://github.com/ckeditor/ckeditor4/commit/a29e4fd5904da5f2d29dc77da9baac76a14ca266 (4.25.0-lts)
Fixed by: https://github.com/ckeditor/ckeditor4/commit/a757c3da466ca01e76505af4b446b3dcde0ae9f5 (4.25.0-lts)
Fixed by: https://github.com/ckeditor/ckeditor4/commit/e35bbadc15e2ae76e39b3fc963b851ecc0da4b28 (4.25.0-lts)
Negligible security impact; feature disabled by default.