Detections
Analytics

CKEditor 41.3.0 < 44.2.1 XSS

low Nessus Plugin ID 216916

Synopsis

The remote web server may be affected by a cross site scripting vulnerability.

Description

The version of CKEditor included on the remote web host is 41.3.0 prior to 44.2.1. It may, therefore, be affected by a cross-site scripting (XSS) vulnerability. This vulnerability affects user markers, which represent users' positions within the document. It can lead to unauthorized JavaScript code execution, which might happen with a very specific editor and token endpoint configuration. This vulnerability affects only installations with Real-time collaborative editing enabled. The problem has been recognized and patched. The fix is available in version 44.2.1 (and above). Users are advised to upgrade. There are no known workarounds for this vulnerability.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to CKEditor 44.2.1 or later.

See Also

http://www.nessus.org/u?3c32e362

https://ckeditor.com/blog/ckeditor-44-2-1-release-highlights/

Plugin Details

Severity: Low

ID: 216916

File Name: cksource_ckeditor_44_2_1.nasl

Version: 1.1

Type: remote

Published: 2/27/2025

Updated: 2/27/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v4

Risk Factor: Low

Base Score: 2.3

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/a:cksource:ckeditor

Required KB Items: installed_sw/CKSource CKEditor

Patch Publication Date: 2/20/2025

Vulnerability Publication Date: 2/20/2025

Reference Information

CVE: CVE-2025-25299

IAVA: 2025-A-0131