CVE-2022-48110

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/ckeditor

Identifiers

CVE-2022-48110

Package Slug

npm/ckeditor

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false).

Affected Versions

Version 35.4.0

Solution

Unfortunately, there is no solution available yet.

Last Modified

2023-11-08

source