CVE-2023-37905

Summary

ckeditor-wordcount-plugin is an open source WordCount Plugin for CKEditor. It has been discovered that the ckeditor-wordcount-plugin plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode. This issue has been addressed in version 1.17.12 of the ckeditor-wordcount-plugin plugin and users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Software

VendorProductVersion RangeStatus
w8tchaCKEditor-WordCount-Plugin< 1.17.12affected
typo3cms-rte-ckeditor>= 10.0.0, < 10.4.39affected
typo3cms-rte-ckeditor>= 11.0.0, < 11.5.30affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References