CVE CyberSecurity Database News

CVE-2024-43407 - Reflected XSS Vulnerability in CKEditor 4’s GeSHi Plugin—What You Need To Know

Poster -

---
Published: June 2024

Introduction

CKEditor 4 is one of the most popular open-source WYSIWYG HTML editors used by millions of web platforms. Recently, security researchers found a security flaw in the CKEditor 4 Code Snippet GeSHi plugin, tracked as CVE-2024-43407. This issue lets attackers perform a reflected Cross-Site Scripting (XSS) attack by abusing the outdated GeSHi syntax highlighter library exposed on PHP servers. CKEditor’s team reacted quickly and the fix ships in version 4.25.-lts.

What is CVE-2024-43407?

CKEditor 4’s Code Snippet plugin used the third-party GeSHi (“Generic Syntax Highlighter”) library to display code with colors. GeSHi, however, has not been maintained for some time.

A reflected XSS vulnerability was discovered that allows attackers to run arbitrary JavaScript in a victim’s browser by manipulating input that GeSHi parses. If GeSHi is accessible on your PHP server and you have not updated CKEditor 4, you may be at risk.

The CKEditor team explains the issue here:
- CKEditor CVE-2024-43407 advisory

A PHP server hosts CKEditor 4’s vendor files, including geshi.php.

2. An attacker crafts a URL or POST request with malicious payloads in the query string or request body.
3. GeSHi fails to sanitize input and reflects it back in a syntax-highlighted page, which could execute malicious JavaScript.

If an admin or user visits a crafted link, the attacker’s script could run in their browser—potentially stealing cookies, altering pages, or compromising accounts.

Suppose you have a GeSHi instance publicly available at

https://example.com/ckeditor/vendor/geshi/geshi.php

The attacker uses a payload like

https://example.com/ckeditor/vendor/geshi/geshi.php?language=javascript&source=%3Cscript%3Ealert('HACKED')%3C%2Fscript%3E

After URL decoding, the source parameter is

<script>alert('HACKED')</script>

If GeSHi fails to sanitize this input, the browser displays an alert—proving XSS.

A simplified vulnerable GeSHi code flow might look like this

// This is vulnerable code!
$source = $_GET['source'] ?? '';
$language = $_GET['language'] ?? 'php';

require_once 'geshi.php';

// Initialize the highlighter
$geshi = new GeSHi($source, $language);
echo $geshi->parse_code();

No input validation or output encoding! This lets JavaScript be injected directly into the output page.

Mitigation Steps

1. Upgrade CKEditor 4 to version 4.25.-lts or newer. This release removes GeSHi as a dependency and rewrites the Code Snippet plugin using modern, secure syntax highlighters.

`

2. Remove GeSHi (geshi.php and associated files) from all public-facing directories on your web server. It is no longer required; deleting it eliminates the XSS vector.

3. If you can’t upgrade, block direct access to geshi.php using web server configuration. For example, on Apache:

Deny from all

Why Remove GeSHi?

GeSHi is no longer maintained and has security bugs. Keeping it in your project increases the risk of web attacks in the future.

References and More Info

- CKEditor Security Advisory: CVE-2024-43407
- GeSHi project (no longer active)
- Official CKEditor 4 Changelog

Final Thoughts

If you use CKEditor 4’s Code Snippet feature, make sure you’re running at least 4.25.-lts and have scrubbed GeSHi from your servers. Reflected XSS bugs are some of the most common—and most dangerous—for web apps. Stay ahead of attackers and always keep third-party libraries up to date.

If you’re unsure whether you’re vulnerable—check for geshi.php files on your server today!

*Feel free to share or adapt this summary as needed. Stay secure!*

Timeline

Published on: 08/21/2024 15:15:09 UTC
Last modified on: 08/23/2024 16:20:42 UTC