CKEditor4, the popular open-source HTML WYSIWYG editor, has been found to contain a critical cross-site scripting (XSS) vulnerability impacting Iframe Dialog and Media Embed packages. The discovery of this vulnerability puts web applications using CKEditor4 at risk of malicious JavaScript code execution.

This vulnerability (CVE-2023-28439) is triggered when the following three conditions are met

1. A web page uses one or more of the affected CKEditor4 packages and lacks a proper Content Security Policy (CSP) configuration.

The CKEditor4 instance is destroyed.

While only a small portion of CKEditor4 users who rely on the dynamic editor initialization/destroy mechanism might be affected, the potential impact of this vulnerability remains significant.

To address this security flaw, CKEditor4 has released a patch available in version 4.21.. However, it is essential to note that, in rare cases, the security fix might be considered a breaking change due to the following changes:

- Starting with version 4.21., CKEditor4's Iframe Dialog plugin will automatically apply the sandbox attribute, which restricts JavaScript code execution inside the iframe. To revert this default behavior, you can modify the config.iframe_attributes option.
- Also, as of version 4.21., the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the config.embed_keepOriginalContent option.

Code snippet example (configuring CKEditor4 options)

CKEDITOR.replace('editor1', {
    iframe_attributes: { sandbox: 'allow-scripts' },
    embed_keepOriginalContent: false

For users who opt for the more permissive settings or have difficulty upgrading to the patched version, it is crucial to configure Content Security Policy (CSP) correctly, preventing any potential security breaches resulting from embedded iframe elements on their web pages.

The official CKEditor4 announcement addressing the vulnerability can be found here. For further information on meeting the requirements to avoid this security vulnerability, refer to this CSP configuration guide.

In conclusion, it is crucial for CKEditor4 users to stay informed about the discovered security vulnerability (CVE-2023-28439) and take the necessary precautions to protect their web applications from potential exploits. Ensure that you are using the latest CKEditor4 version (4.21.) and implementing the necessary configuration changes depending on your use case. Users unable to upgrade should follow the appropriate CSP configuration guidelines to safeguard their applications.


Published on: 03/22/2023 21:15:00 UTC
Last modified on: 03/28/2023 18:52:00 UTC