CKEditor v43.1.1 Release Highlights: Security fix introduced
We’re releasing CKEditor 5 v43.1.1 to address a Cross-Site Scripting (XSS) vulnerability (CVE-2024-45613) discovered in the clipboard package, during a recent internal audit.
The latest version of CKEditor is v43.1.1 and includes an important security fix. We highly recommend updating to the latest version to keep your application secure.
During an internal audit, a Cross-Site Scripting (XSS) vulnerability was discovered in the CKEditor 5 clipboard package (CVE-2024-45613). This vulnerability could potentially allow unauthorized JavaScript execution under specific configurations triggered by user actions.
This vulnerability impacts only those installations with the following editor configuration:
1. General HTML Support with a configuration that permits unsafe markup
2. HTML Embed
Additionally, in this release we have implemented further hardening measures in parts of our codebase to address theoretical issues, none of which are exploitable in real scenarios. Regardless, the fixes were made proactively, in order to increase the overall security.