Advisories for Npm/@Ckeditor/Ckeditor5-Clipboard package

2024

Cross-site scripting (XSS) in the clipboard package

During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability affects only installations where the editor configuration meets the following criteria: