CVE-2024-24815

CWE-79Cross-site Scripting (XSS)8 documents7 sources
Severity
6.1MEDIUM
EPSS
0.1%
top 69.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ckeditor Ckeditor4Ckeditor Ckeditor
Timeline
PublishedFeb 7
Latest updateFeb 6

Description

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mech

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

npmckeditor4< 4.24.0-lts
CVEListV5ckeditor/ckeditor4< 4.24.0-lts
NVDckeditor/ckeditor4.04.24.0
Packagistckeditor/ckeditor< 4.24.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2024-24815: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor2024-02-07
OSV
CKEditor4 Cross-site Scripting vulnerability caused by incorrect CDATA detection2024-02-07
GHSA
CKEditor4 Cross-site Scripting vulnerability caused by incorrect CDATA detection2024-02-07
CVEList
CKEditor4 Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection2024-02-07

📋Vendor Advisories

3
Ubuntu
CKEditor vulnerabilities2025-02-06
Drupal
CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-0092024-02-14
Debian
CVE-2024-24815: ckeditor - CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-si...2024