Description
ckeditor-wordcount-plugin is an open source WordCount Plugin for CKEditor. It has been discovered that the `ckeditor-wordcount-plugin` plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode. This issue has been addressed in version 1.17.12 of the `ckeditor-wordcount-plugin` plugin and users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- TYPO3 / cms-rte-ckeditor>= 10.0.0, < 10.4.39 – >= 10.0.0, < 10.4.39
- TYPO3 / cms-rte-ckeditor>= 11.0.0, < 11.5.30 – >= 11.0.0, < 11.5.30
- w8tcha / CKEditor-WordCount-Plugin< 1.17.12 – < 1.17.12
References
- VENDOR_ADVISORYhttps://github.com/w8tcha/CKEditor-WordCount-Plugin/security/advisories/GHSA-q9w4-w667-qqj4
- PATCHhttps://github.com/w8tcha/CKEditor-WordCount-Plugin/commit/0f03b3e5b7c1409998a13aba3a95396e6fa349d8
- PATCHhttps://github.com/w8tcha/CKEditor-WordCount-Plugin/commit/a4b154bdf35b3465320136fcb078f196b437c2f1
- VENDOR_ADVISORYhttps://github.com/TYPO3/typo3/security/advisories/GHSA-m8fw-p3cr-6jqc
- MISChttps://typo3.org/security/advisory/typo3-core-sa-2023-004