CVE-2023-37905: 
JavaScript vulnerability analysis and mitigation

The CVE-2023-37905 vulnerability affects the ckeditor-wordcount-plugin for CKEditor4, discovered in July 2023. This cross-site scripting (XSS) vulnerability occurs when switching to the source code mode in the editor. The vulnerability affects versions up to and including 1.17.11 of the ckeditor-wordcount-plugin (GitHub Advisory).

The vulnerability is classified as a cross-site scripting (CWE-79) issue with a CVSS v3.1 base score of 6.1 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The vulnerability exists in the source code mode of the editor, allowing potential XSS attacks when switching between modes (TYPO3 Advisory).

The vulnerability could allow attackers to execute cross-site scripting attacks, potentially leading to unauthorized access to sensitive information or manipulation of content. In TYPO3 CMS implementations, while default scenarios require a valid backend user account, if custom plugins are used on the website frontend that accept and reflect rich-text content submitted by users, no authentication is required for exploitation (TYPO3 Advisory).

Users should update to version 1.17.12 of the ckeditor-wordcount-plugin which contains the fix for this vulnerability. For TYPO3 CMS users, updates are available in versions 9.5.42 ELTS, 10.4.39 ELTS, and 11.5.30. There are no known workarounds for this vulnerability (TYPO3 Advisory).