GHSA-M8FW-P3CR-6JQC

Vulnerability from github – Published: 2023-07-25 19:11 – Updated: 2023-07-26 22:57
VLAI
Summary
Cross-Site Scripting in CKEditor4 WordCount Plugin
Details

CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C (4.4)

Problem

The WordCount plugin (npm:ckeditor-wordcount-plugin) for CKEditor4 is vulnerable to cross-site scripting when switching to the source code mode. This plugin is enabled via the Full.yaml configuration present, but is not active in the default configuration.

In default scenarios, exploiting this vulnerability requires a valid backend user account. However, if custom plugins are used on the website frontend, which accept and reflect rich-text content submitted by users, no authentication is required.

Solution

Update to TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30 that fix the problem described above.

Credits

Thanks to Sybille Peters who reported this issue, and to TYPO3 core & security team member Oliver Hader who fixed the issue.

References

  • TYPO3-CORE-SA-2023-004
  • https://github.com/w8tcha/CKEditor-WordCount-Plugin/security/advisories/GHSA-q9w4-w667-qqj4
Severity
4.7 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-rte-ckeditor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.5.0"
            },
            {
              "fixed": "9.5.42"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-rte-ckeditor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.39"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-rte-ckeditor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.5.30"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-25T19:11:43Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "\u003e ### CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.4) \n\n### Problem\nThe [WordCount](https://ckeditor.com/cke4/addon/wordcount) plugin ([`npm:ckeditor-wordcount-plugin`](https://www.npmjs.com/package/ckeditor-wordcount-plugin)) for CKEditor4 is vulnerable to cross-site scripting when switching to the source code mode. This plugin is enabled via the `Full.yaml` configuration present, but is not active in the default configuration.\n\nIn default scenarios, exploiting this vulnerability requires a valid backend user account. However, if custom plugins are used on the website frontend, which accept and reflect rich-text content submitted by users, no authentication is required.\n\n### Solution\nUpdate to TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30 that fix the problem described above.\n\n### Credits\nThanks to Sybille Peters who reported this issue, and to TYPO3 core \u0026 security team member Oliver Hader who fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2023-004](https://typo3.org/security/advisory/typo3-core-sa-2023-004)\n* https://github.com/w8tcha/CKEditor-WordCount-Plugin/security/advisories/GHSA-q9w4-w667-qqj4",
  "id": "GHSA-m8fw-p3cr-6jqc",
  "modified": "2023-07-26T22:57:41Z",
  "published": "2023-07-25T19:11:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-m8fw-p3cr-6jqc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3/typo3"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2023-004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-Site Scripting in CKEditor4 WordCount Plugin"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.