We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

CKeditor 4.20.2 in use which is vulnerable to CVE-2023-28439 in limesurvey/limesurvey

Valid

Reported on

Apr 18th 2023

Description

CKeditor 4.20.2 in use which is vulnerable to CVE-2023-28439

Proof of Concept

 1) Go to https://demo.limesurvey.org/tmp/assets/a89a2fb4/ckeditor.js and note that version:"4.20.2"
 2)  Go to https://github.com/LimeSurvey/LimeSurvey/blob/master/assets/packages/ckeditor/ckeditor.js to verify version
 3) Go to https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g which indicate CVE-2023-28439  affects ckeditor < 4.21.0

Impact

This vulnerability is capable of XSS based on the CVE

Occurrences

ckeditor version

References

We are processing your report and will contact the limesurvey team within 24 hours. 5 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 5 months ago
Carsten Schmitz validated this vulnerability 3 months ago
Joshua Chan has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz marked this as fixed in 5.6.27 with commit 9f3e65 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jun 19th 2023
ckeditor.js#L5 has been validated
Carsten Schmitz published this vulnerability 3 months ago
to join this conversation