CVE-2023-28439: 
Linux Debian vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in CKEditor4, an open source what-you-see-is-what-you-get HTML editor, affecting the Iframe Dialog and Media Embed packages. The vulnerability was assigned CVE-2023-28439 and was patched in version 4.21.0 (GitHub Advisory).

The vulnerability could be triggered under specific conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration, initializing the editor on an element and using an element other than <textarea> as a base, and destroying the editor instance. The vulnerability has a CVSS v3.1 base score of 6.1 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD).

The vulnerability allows an attacker to execute JavaScript code by exploiting the editor instance destroying process. This vulnerability affects a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism (GitHub Advisory).

The vulnerability was patched in CKEditor4 version 4.21.0. Starting from this version, the Iframe Dialog plugin applies the sandbox attribute by default, which restricts JavaScript code execution in the iframe element. Additionally, the Media Embed plugin regenerates the entire content of the embed widget by default. Users can configure these behaviors using the config.iframe_attributes and config.embed_keepOriginalContent options respectively. Those who choose more permissive options or cannot upgrade should properly configure Content Security Policy (GitHub Advisory).