VDB

CVE-2024-43411

CVE-2024-43411 PUBLISHED CVSS 3.0999999046325684 LOW

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gains control over the https://cke4.ckeditor.com domain, they could potentially execute an attack on CKEditor 4 instances. The issue impacts only editor instances with enabled version notifications. Please note that this feature is disabled by default in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4 LTS, it is highly unlikely that you are affected by this vulnerability. If you are unsure, please contact us. The fix is available in version 4.25.0-lts.

EPSS 0.08% · 23.7th percentile

Risk Scores

CVSS v3.1
3.0999999046325684
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
EPSS Score
0.08%
23.7th percentile

Affected Products

VendorProductVersions
ckeditorckeditor4>= 4.22.0, < 4.25.0-lts
npmckeditor44.22.0

Timeline

  • Jan 21, 1970 Security Advisory
  • Aug 21, 2024 CVE Published
  • Aug 22, 2024 EPSS Score
  • Sep 11, 2024 EPSS Score
  • Oct 2, 2024 EPSS Score
  • Oct 4, 2024 Coalition ESS Score
  • Oct 22, 2024 EPSS Score
  • Nov 12, 2024 EPSS Score
  • Nov 18, 2024 CVE Updated
  • Dec 3, 2024 EPSS Score
  • Dec 24, 2024 EPSS Score
  • Jan 13, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›