HTML comments vulnerability allowing to execute JavaScript code

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

CKEditor 跨站脚本漏洞

CKEditor是一套开源的、基于网页的文字编辑器。 CKEditor 4 中存在跨站脚本漏洞，该漏洞源于产品未对输入数据的特殊字符做有效过滤。攻击者可通过该漏洞执行客户端代码。以下产品及版本受到影响： CKEditor4 4.17.0 之前版本。

N/A

N/A