Ckeditor5-markdown-gfm-Cross-site Scripting

This article is a part of our Vulnerability Database (back to index)

Cross-site Scripting occurrences in Ckeditor5-markdown-gfm

CKEditor 5 is a JavaScript rich text editor. A cross-site scripting vulnerability has been discovered affecting three optional CKEditor 5's packages in versions prior to 35.0.1. The vulnerability allowed to trigger a JavaScript code after fulfilling special conditions. The affected packages are `@ckeditor/ckeditor5-markdown-gfm`, `@ckeditor/ckeditor5-html-support`, and `@ckeditor/ckeditor5-html-embed`. The specific conditions are 1) Using one of the affected packages. In case of `ckeditor5-html-support` and `ckeditor5-html-embed`, additionally, it was required to use a configuration that allows unsafe markup inside the editor. 2) Destroying the editor instance and 3) Initializing the editor on an element and using an element other than `` as a base. The root cause of the issue was a mechanism responsible for updating the source element with the markup coming from the CKEditor 5 data pipeline after destroying the editor. This vulnerability might affect a small percent of integrators that depend on dynamic editor initialization/destroy and use Markdown, General HTML Support or HTML embed features. The problem has been recognized and patched. The fix is available in version 35.0.1. There are no known workarounds for this issue. (2022-08-03, <a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31175">CVE-2022-31175</a>)</p></p> </div> <h2 class="typo-h4 m-40"> <p>Why Cross-site Scripting can be dangerous</p> </h2> <div style="margin: 2em;"> <p>Cross site scripting is an attack where a web page executes code that is injected by an adversary. It usually appears, when users input is presented. This attack can be used to impersonate a user, take over control of the session, or even steal API keys.</p> <p>The attack can be executed e.g. when you application injects the request parameter directly into the HTML code of the page returned to the user:</p> <p class="feature-text">https://server.com/confirmation?message=Transaction+Complete</p> <p>what results in:</p> <p class="feature-text"><span>Confirmation: Transaction Complete</span></p> <p>In that case the message can be modified to become a valid Javascript code, e.g.:</p> <p class="feature-text">https://server.com/confirmation?message=<script>dangerous javascript code here</script></p> <p>and it will be executed locally by the user's browser with full access to the user's personal application/browser data:</p> <p class="feature-text"><span>Confirmation: <script>dangerous javascript code here</script></span></p> </div> <a href="/scan-now" class="btn btn--fill"><span>Scan Your Web App Now</span></a> </div> </div> </section> </div> <section class="get-started"> <div class="wrap wrap--inner animate"> <div class="header header--center"> <div class="typo-h2"> <h5>Scan your application<br> for 14 days for free</h5> </div> <p>No credit card is required. No commitment.</p> </div> <a href="/register" class="btn btn--fill"><span>Sign Up Free</span></a> </div> </section> <footer class="footer"> <div class="wrap wrap--inner clearfix"> <div class="col"> <h6>Contact</h6> <p><strong><a href="mailto:team@scanrepeat.com">team@scanrepeat.com</a><br>+1 (415) 340-8020</strong></p> <p><strong>ScanRepeat</strong><br>a Ventures CDX company</p> <p><strong>USA</strong><br>117 Park Avenue, San Jose<br>CA 95113</p> <p><strong>EMEA</strong><br>Laciarska 4, 50-104 Wroclaw<br>Poland</p> </div> <div class="col"> <h6>Product</h6> <ul> <li class=""> <a href="/features" title="Features">Features</a> </li> <li class=""> <a href="/#pricing" title="Pricing">Pricing</a> </li> <li class=""> <a href="/#faq" title="FAQ">FAQ</a> </li> <li class=""> <a href="/#how-it-works" title="How it works">How it works</a> </li> <li class=""> <a href="/web-security-knowledge-base" title="Web Security Knowledge Base">Web Security Knowledge Base</a> </li> <li class=""> <a href="/security-tests" title="Security tests">Security tests</a> </li> <li class=""> <a href="/top-security-issues" title="Top Security Issues (last 30 days)">Top Security Issues (last 30 days)</a> </li> </ul> </div> <div class="col"> <h6>Legal</h6> <ul> <li class=""> <a href="/terms" title="Terms of use">Terms of use</a> </li> <li class=""> <a href="/privacy-policy" title="Privacy policy">Privacy policy</a> </li> <li class=""> <a href="/cookies-policy" title="Cookies policy">Cookies policy</a> </li> </ul> </div> <div class="footer__social social"> <ul> <li> <a href="https://www.facebook.com/ScanRepeat/" aria-label="Facebook" target="_blank" rel="nofollow"><i class="icon-facebook"></i></a> </li> <li> <a href="https://twitter.com/ScanRepeat" aria-label="Twitter" target="_blank" rel="nofollow"><i class="icon-twitter"></i></a> </li> <li> <a href="https://www.linkedin.com/showcase/scanrepeat/" aria-label="LinkedIn" target="_blank" rel="nofollow"><i class="icon-linkedin"></i></a> </li> <li> <a href="https://github.com/ScanRepeat" aria-label="GitHub" target="_blank" rel="nofollow"><i class="icon-github"></i></a> </li>  </ul> </div> </div> <div class="wrap wrap--inner"> <div class="footer__copy"> <p>© ScanRepeat 2020</p> </div> </div> </footer> </main> <script src="/vendor/scripts/vendor.js?v=2301101430"></script> <script src="/vendor/scripts/main.js?v=2301101430"></script> <script src="/vendor/scripts/public_general.js?v=2301101430"></script> </body> </html>