CVE-2024-45613

Name	CVE-2024-45613
Description	CKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 and prior to version 43.1.1, a Cross-Site Scripting (XSS) vulnerability is present in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability only affects installations where the Block Toolbar plugin is enabled and either the General HTML Support (with a configuration that permits unsafe markup) or the HTML Embed plugin is also enabled. A fix for the problem is available in version 43.1.1. As a workaround, one may disable the block toolbar plugin.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ckeditor (PTS)	jessie, jessie (lts)	4.4.4+dfsg1-3+deb8u2	fixed
	stretch (security)	4.5.7+dfsg-2+deb9u1	fixed
	stretch (lts), stretch	4.5.7+dfsg-2+deb9u2	fixed
	buster	4.11.1+dfsg-1	fixed
	bullseye	4.16.0+dfsg-2	fixed
	bookworm	4.19.1+dfsg-1	fixed
	sid, trixie	4.22.1+dfsg1-2	fixed
ckeditor3 (PTS)	stretch	3.6.6.1+dfsg-1	fixed
	buster	3.6.6.1+dfsg-3	fixed
	sid, trixie, bullseye, bookworm	3.6.6.1+dfsg-7	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
ckeditor	source	(unstable)	(not affected)
ckeditor3	source	(unstable)	(not affected)

- ckeditor <not-affected> (Specific to ckeditor 5)
- ckeditor3 <not-affected> (Specific to ckeditor 5)