CVE-2024-24816

CWE-79 — Cross-site Scripting (XSS)9 documents7 sources

Severity

6.1MEDIUM

EPSS

35.6%

top 2.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ckeditor Ckeditor4 Ckeditor Ckeditor

Timeline

PublishedFeb 7

Latest updateFeb 6

Description

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶npmckeditor4< 4.24.0-lts

▶CVEListV5ckeditor/ckeditor4< 4.24.0-lts

▶NVDckeditor/ckeditor4.0 — 4.24.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-24816: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor↗2024-02-07

▶

OSV

CKEditor4 Cross-site Scripting vulnerability in samples with enabled the preview feature↗2024-02-07

▶

GHSA

CKEditor4 Cross-site Scripting vulnerability in samples with enabled the preview feature↗2024-02-07

▶

CVEList

Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature↗2024-02-07

▶

📋Vendor Advisories

Ubuntu

CKEditor vulnerabilities↗2025-02-06

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Web UI (CKEditor) — CVE-2024-24816↗2024-07-15

▶

Oracle

Oracle Oracle Insurance Applications Risk Matrix: Enterprise Edition (CKEditor) — CVE-2024-24816↗2024-04-15

▶

Debian

CVE-2024-24816: ckeditor - CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-si...↗2024

▶