CVE-2024-45613

NameCVE-2024-45613
DescriptionCKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 and prior to version 43.1.1, a Cross-Site Scripting (XSS) vulnerability is present in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability only affects installations where the Block Toolbar plugin is enabled and either the General HTML Support (with a configuration that permits unsafe markup) or the HTML Embed plugin is also enabled. A fix for the problem is available in version 43.1.1. As a workaround, one may disable the block toolbar plugin.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ckeditor (PTS)bullseye4.16.0+dfsg-2fixed
bookworm4.19.1+dfsg-1fixed
sid, trixie4.22.1+dfsg1-2fixed
ckeditor3 (PTS)sid, trixie, bookworm, bullseye3.6.6.1+dfsg-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ckeditorsource(unstable)(not affected)
ckeditor3source(unstable)(not affected)

Notes

- ckeditor <not-affected> (Specific to ckeditor 5)
- ckeditor3 <not-affected> (Specific to ckeditor 5)

Search for package or bug name: Reporting problems