{"vulnerability": "CVE-2023-28439", "sightings": [{"uuid": "5988dda2-bc49-4231-83d4-e47df11075f8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-28439", "type": "seen", "source": "https://t.me/ctinow/181990", "content": "https://ift.tt/GR07LNV\nCVE-2023-28439 | Oracle Analytics Desktop 6.4.0.0.0/7.0.0.0.0 Visual Analyzer Integration cross site scripting", "creation_timestamp": "2024-02-09T12:51:19.000000Z"}, {"uuid": "e9e1f691-397c-4dbb-992f-97f0f85818f7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-28439", "type": "seen", "source": "https://t.me/cibsecurity/60526", "content": "\u203c CVE-2023-28439 \u203c\n\nCKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-22T23:36:13.000000Z"}]}