Ckeditor: >> Ckeditor >> 4.0 Security Vulnerabilities
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
CVSS Score
6.5
EPSS Score
0.003
Published
2021-01-26
A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.
CVSS Score
6.1
EPSS Score
0.005
Published
2020-03-10
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
CVSS Score
6.1
EPSS Score
0.01
Published
2020-03-07
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
CVSS Score
6.1
EPSS Score
0.015
Published
2018-11-14
Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS Score
4.3
EPSS Score
0.003
Published
2014-08-07
Page 2