github - ghsa-j3mm-wmfm-mwvh

ghsa-j3mm-wmfm-mwvh

Vulnerability from github

Published

2025-02-20 20:16

Modified

2025-02-20 22:53

Severity ?

6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Cross-site scripting (XSS) in the CKEditor 5 real-time collaboration package

Details

Impact

During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 real-time collaboration package. This vulnerability can lead to unauthorized JavaScript code execution and affects user markers, which represent users' positions within the document.

This vulnerability affects only installations with Real-time collaborative editing enabled.

Patches

The problem has been recognized and patched. The fix will be available in version 44.2.1 (and above).

For more information

Email us at security@cksource.com if you have any questions or comments about this advisory.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 44.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@ckeditor/ckeditor5-real-time-collaboration"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "41.3.0"
            },
            {
              "fixed": "44.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 44.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "ckeditor5-premium-features"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "42.0.0"
            },
            {
              "fixed": "44.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25299"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-20T20:16:31Z",
    "nvd_published_at": "2025-02-20T20:15:46Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nDuring a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 real-time collaboration package. This vulnerability can lead to unauthorized JavaScript code execution and affects user markers, which represent users\u0027 positions within the document.\n\nThis vulnerability affects only installations with [Real-time collaborative editing](https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html) enabled.\n\n### Patches\nThe problem has been recognized and patched. The fix will be available in version 44.2.1 (and above).\n\n### For more information\nEmail us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory.",
  "id": "GHSA-j3mm-wmfm-mwvh",
  "modified": "2025-02-20T22:53:45Z",
  "published": "2025-02-20T20:16:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-j3mm-wmfm-mwvh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25299"
    },
    {
      "type": "WEB",
      "url": "https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html"
    },
    {
      "type": "WEB",
      "url": "https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html?docId=ee1dca024c9b4e44aef039f99ebe6c664"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ckeditor/ckeditor5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ckeditor/ckeditor5/releases/tag/v44.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cross-site scripting (XSS) in the CKEditor 5 real-time collaboration package"
}

CVE-2025-25299 (GCVE-0-2025-25299)

Vulnerability from cvelistv5

Published

2025-02-20 19:23

Modified

2025-02-20 19:47

Severity ?

2.3 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Summary

CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. During a recent internal audit, a Cross-Site Scripting (XSS) vulnerability was discovered in the CKEditor 5 real-time collaboration package. This vulnerability affects user markers, which represent users' positions within the document. It can lead to unauthorized JavaScript code execution, which might happen with a very specific editor and token endpoint configuration. This vulnerability affects only installations with Real-time collaborative editing enabled. The problem has been recognized and patched. The fix is available in version 44.2.1 (and above). Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

►

URL

Tags

	https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-j3mm-wmfm-mwvh	x_refsource_CONFIRM
	https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html	x_refsource_MISC
	https://github.com/ckeditor/ckeditor5/releases/tag/v44.2.1	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ckeditor	ckeditor5	Version: @ckeditor/ckeditor5-real-time-collaboration: >= 41.3.0, < 44.2.1 Version: ckeditor5-premium-features: >= 42.0.0, < 44.2.1

Show details on NVD website