CKEditor Preview Plugin CVE-2014-5191 Unspecified Cross Site Scripting Vulnerability

Bugtraq ID:	69161
Class:	Input Validation Error
CVE:	CVE-2014-5191
Remote:	Yes
Local:	No
Published:	Aug 08 2014 12:00AM
Updated:	Jul 15 2015 12:11AM
Credit:	Mario Heiderich of Cure53.
Vulnerable:	CKSource CKEditor 3.6.2 CKSource CKEditor 3.0
Not Vulnerable:

CKEditor Preview Plugin CVE-2014-5191 Unspecified Cross Site Scripting Vulnerability

Preview plugin for CKEditor is prone to a unspecified cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Versions prior to CKEditor 4.4.3 are vulnerable.

CKEditor Preview Plugin CVE-2014-5191 Unspecified Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.

CKEditor Preview Plugin CVE-2014-5191 Unspecified Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

CKEditor Preview Plugin CVE-2014-5191 Unspecified Cross Site Scripting Vulnerability

References: