Login Sign Up

CVE-2019-9870

9.8 CRITICAL
Cross-Site Scripting

📋 TL;DR

This vulnerability in the w8tcha oEmbed plugin for CKEditor allows cross-site scripting (XSS) attacks through improper handling of SCRIPT elements. Attackers can inject malicious scripts that execute in users' browsers when viewing content containing specially crafted oEmbed elements. Any website using the vulnerable plugin version is affected.

💻 Affected Systems

Products:
  • w8tcha CKEditor oEmbed Plugin
Versions: All versions before 2019-03-14
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any CKEditor installation using the vulnerable oEmbed plugin version.

📦 What is this software?

Oembed by Oembed Project

View all CVEs affecting Oembed →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of user sessions, credential theft, defacement of websites, and potential server-side code execution if combined with other vulnerabilities.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions performed on behalf of authenticated users.

🟢

If Mitigated

Limited impact with proper content security policies and input validation, potentially reduced to minor data leakage.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XSS vulnerabilities are commonly weaponized and require minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version from commit 10f6169e39510bbf5af913886037044458b9dc9b (2019-03-14)

Vendor Advisory: https://github.com/w8tcha/CKEditor-oEmbed-Plugin/commit/10f6169e39510bbf5af913886037044458b9dc9b

Restart Required: No

Instructions:

1. Update the oEmbed plugin to version from commit 10f6169e39510bbf5af913886037044458b9dc9b or later. 2. Replace plugin.js with the patched version. 3. Clear any cached files.

🔧 Temporary Workarounds

Disable oEmbed Plugin

all

Temporarily disable the vulnerable oEmbed plugin until patching is possible.

Remove or rename the plugin directory: plugins/oembed

Implement Content Security Policy

all

Add CSP headers to restrict script execution from untrusted sources.

Add header: Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user-provided oEmbed content
  • Deploy web application firewall rules to block malicious script injection patterns

🔍 How to Verify

Check if Vulnerable:

Check if plugin.js version predates commit 10f6169e39510bbf5af913886037044458b9dc9b (2019-03-14).

Check Version:

Check file modification date or compare with patched version from GitHub repository.

Verify Fix Applied:

Verify plugin.js contains the security fixes from commit 10f6169e39510bbf5af913886037044458b9dc9b.

📡 Detection & Monitoring

Log Indicators:

  • Unusual oEmbed parameter patterns in web server logs
  • Multiple requests with script-like payloads in query parameters

Network Indicators:

  • Incoming requests containing malicious script tags in oEmbed parameters

SIEM Query:

source="web_server" AND (url CONTAINS "oembed" AND (param CONTAINS "<script" OR param CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2019-9870
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-19
Published: March 21, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-9870, you might also want to check these:

CVE-2019-13917 9.8

CVE-2019-13917 is a critical remote code execution vulnerability in Exim mail servers that allows at...

Same vulnerability type (CWE-19)
CVE-2019-13624 9.8

CVE-2019-13624 is a command injection vulnerability in ONOS (Open Network Operating System) that all...

Same vulnerability type (CWE-19)
CVE-2020-3232 7.7

This vulnerability allows authenticated remote attackers to cause Cisco ASR 920 Series routers to re...

Same vulnerability type (CWE-19)