It was possible in CKEditor before 4.11.0 to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. References: https://ckeditor.com/cke4/release/CKEditor-4.11.0
Created ckeditor tracking bugs for this issue: Affects: epel-all [bug 1651705] Affects: fedora-all [bug 1651704]
All dependent bugs have been closed. Can this tracking bug be closed?