CKSource CKEditor5 35.4.0 Cross Site Scripting

2023.02.09

Credit: Manish Pathak

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2022-48110

CWE: CWE-79

# Exploit Title: Cross Site Scripting in CKSource's CKEditor5 35.4.0
# Google Dork: N/A
# Date: February 09, 2023
# Exploit Author: Manish Pathak
# Vendor Homepage: https://cksource.com/
# Software Link: https://ckeditor.com/ckeditor-5/download/
# Version: 35.4.0
# Tested on: Linux / Web
# CVE : CVE-2022-48110
CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting
(XSS) vulnerability via Full Featured CKEditor5 Widget as the editor fails
to sanitize user provided data.
An attacker can execute arbitrary script in the browser in the context of
the affected site. This can allow the attacker to steal cookie-based
authentication credentials and launch other attacks.
CKEditor5 version 35.4.0 is tested & found to be vulnerable.
Documentation avaiable at
https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html#security
Security Docs Says """The HTML embed feature does not currently execute
code in <script> tags. However, it will execute code in the on* and
src="javascript:..." attributes."""
Payload:
<div class="raw-html-embed">
<script>alert(456)</script>
</div>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CKSource CKEditor5 35.4.0 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.