Stored XSS Vulnerability Discovered In CKEditor4: CVE-2021-33829 / CX-2021-4791

Severity

Severity: 6.1 - Medium Severity

Advisory Timeline Summary
CKEditor4 prior to version 4.16.1 is vulnerable to stored XSS.

Product

CKEditor4 prior to 4.16.1

Impact

CKEditor 4 is commonly used and may affect a variety of environments, such as blogs, content management systems, and other websites that accept rich text content from users. Successful exploitation of the vulnerability leads to arbitrary web script injection. The impact depends on where the plugin is used. It may lead to account takeover, credential stealing, sensitive data exposure, etc.

Steps To Reproduce

  1. Click the source button in CKEditor 4
  2. Paste the following payload:
Xss<!--{cke{cke_protected}_protected} --!><img src=1 onerror=alert(`XSS`)> Attack
  1. Click the source button again to return to the regular editor.

Expected Result:

The browser pops an alert

Remediation

This issue was fixed in version 4.16.1 through the commit.

Properties

Attack Vector: Network

Attack Complexity: Low

Privileges Required: None

User Interaction: Required

Scope: Changed

Confidentiality: Low

Integrity: Low

Availability: None

Credit

This issue was discovered and reported by Checkmarx Security Researcher Or Sahar.

Resources

  1. Commit (cae2031)