CVE-2024-24816
Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.
CKEditor4 es un editor HTML de código abierto de lo que ves es lo que obtienes. Se descubrió una vulnerabilidad de cross-site scripting en versiones anteriores a la 4.24.0-lts en muestras que utilizan la función "vista previa". Todos los integradores que utilicen estos ejemplos en el código de producción pueden verse afectados. La vulnerabilidad permite a un atacante ejecutar código JavaScript abusando de la función de vista previa mal configurada. Afecta a todos los usuarios que utilizan CKEditor 4 en la versión <4.24.0-lts con muestras afectadas utilizadas en un entorno de producción. Hay una solución disponible en la versión 4.24.0-lts.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-01-31 CVE Reserved
- 2024-02-07 CVE Published
- 2024-02-10 First Exploit
- 2024-02-15 EPSS Updated
- 2024-08-01 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://ckeditor.com/cke4/addon/preview | Product |
| URL | Date | SRC |
|---|---|---|
| https://github.com/afine-com/CVE-2024-24816 | 2024-02-10 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb | 2024-02-15 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76 | 2024-02-15 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Ckeditor Search vendor "Ckeditor" | Ckeditor Search vendor "Ckeditor" for product "Ckeditor" | >= 4.0 < 4.24.0 Search vendor "Ckeditor" for product "Ckeditor" and version " >= 4.0 < 4.24.0" | - |
Affected
| ||||||