CKEditor v43.1.1 Release Highlights: Security fix introduced
We’re releasing CKEditor 5 v43.1.1 to address a Cross-Site Scripting (XSS) vulnerability (CVE-2024-45613) discovered in the clipboard package, during a recent internal audit.
What is the latest version of CKEditor?
The latest version of CKEditor is v43.1.1 and includes an important security fix. We highly recommend updating to the latest version to keep your application secure.
UPDATED Security Fix for Clipboard Package
During an internal audit, a Cross-Site Scripting (XSS) vulnerability was discovered in the CKEditor 5 clipboard package (CVE-2024-45613). This vulnerability could potentially allow unauthorized JavaScript execution under specific configurations triggered by user actions.
This vulnerability impacts only those installations with the following editor configuration:
- The Block Toolbar plugin is enabled.
- One of the following plugins is also enabled:
- General HTML Support with a configuration that permits unsafe markup.
- HTML Embed
For more details you can refer to the security advisory or contact us if you have more questions.
Additionally, in this release we have implemented further hardening measures in parts of our codebase to address theoretical issues, none of which are exploitable in real scenarios. Regardless, the fixes were made proactively, in order to increase the overall security.
Quick links for CKEditor v43.1.1
Learn more about previous CKEditor 5 versions
-
CKEditor v43.1.0 Release Highlights: Block Merge Fields, Nested Dropdowns, and more
-
CKEditor v43.0.0 Release Highlights - All-new Merge Fields and Export to Word v2
-
CKEditor v42.0.0 Release Highlights: new installation methods and builder unveiled
-
CKEditor v41.4.0: Accessibility and UX improvements + bug fixes
-
CKEditor v41.3.0: New Multi-level Lists plugin and Menu Bar + accessibility report