1. Ubuntu Security Notices
  2. USN-7258-1

USN-7258-1: CKEditor vulnerabilities

Publication date

6 February 2025

Overview

Several security issues were fixed in CKEditor.

Releases

Packages

  • ckeditor - Text editor which can be embedded into web pages

Details

Kevin Backhouse discovered that CKEditor did not properly sanitize HTML
content. An attacker could possibly use this issue to perform cross site
scripting and obtain sensitive information. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-24728)

It was discovered that CKEditor did not properly handle the creation of
editor instances in the Iframe Dialog and Media Embed packages. An
attacker could possibly use this issue to perform cross site scripting
and obtain sensitive information. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-28439)

It was discovered that CKEditor did not properly handle parsing HTML
content. An attacker could possibly use this issue to perform cross site
scripting and obtain sensitive...

Kevin Backhouse discovered that CKEditor did not properly sanitize HTML
content. An attacker could possibly use this issue to perform cross site
scripting and obtain sensitive information. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-24728)

It was discovered that CKEditor did not properly handle the creation of
editor instances in the Iframe Dialog and Media Embed packages. An
attacker could possibly use this issue to perform cross site scripting
and obtain sensitive information. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-28439)

It was discovered that CKEditor did not properly handle parsing HTML
content. An attacker could possibly use this issue to perform cross site
scripting and obtain sensitive information.
(CVE-2024-24815, CVE-2024-24816)

It was discovered that CKEditor did not properly sanitize version
notifications. An attacker could possibly use this issue to perform cross
site scripting and obtain sensitive information. This issue only affected
Ubuntu 24.04 LTS and Ubuntu 24.10. (CVE-2024-43411)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
24.10 oracular ckeditor –  4.22.1+dfsg1-2ubuntu0.24.10.1
24.04 noble ckeditor –  4.22.1+dfsg1-2ubuntu0.24.04.1~esm1  
22.04 jammy ckeditor –  4.16.2+dfsg-1ubuntu0.1~esm1  
20.04 focal ckeditor –  4.12.1+dfsg-1ubuntu0.1+esm1  
18.04 bionic ckeditor –  4.5.7+dfsg-2ubuntu0.18.04.1+esm1  
16.04 xenial ckeditor –  4.5.7+dfsg-2ubuntu0.16.04.1~esm2  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›