CVE-2024-43407: Code Snippet GeSHi plugin has reflected cross-site scripting (XSS) vulnerability
A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim.
The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server.
References
- github.com/advisories/GHSA-7r32-vfj5-c2jv
- github.com/ckeditor/ckeditor4
- github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94
- github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa
- github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv
- nvd.nist.gov/vuln/detail/CVE-2024-43407
Detect and mitigate CVE-2024-43407 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →