CVE-2024-24816

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://ckeditor.com/cke4/addon/preview	Product
https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb	Patch
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*

History

15 Feb 2024, 05:01

Type	Values Removed	Values Added
First Time		Ckeditor Ckeditor ckeditor
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
CWE		CWE-79
CPE		cpe:2.3:a:ckeditor:ckeditor::::::::
References	~~() https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb -~~	() https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb - Patch
References	~~() https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76 -~~	() https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76 - Vendor Advisory
References	~~() https://ckeditor.com/cke4/addon/preview -~~	() https://ckeditor.com/cke4/addon/preview - Product

07 Feb 2024, 17:38

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-07 17:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-24816

Mitre link : CVE-2024-24816

CVE.ORG link : CVE-2024-24816

JSON object : View

Products Affected

ckeditor

ckeditor

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-24816", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-02-07T17:15:11.383", "references": [{"url": "https://ckeditor.com/cke4/addon/preview", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts."}, {"lang": "es", "value": "CKEditor4 es un editor HTML de c\u00f3digo abierto de lo que ves es lo que obtienes. Se descubri\u00f3 una vulnerabilidad de cross-site scripting en versiones anteriores a la 4.24.0-lts en muestras que utilizan la funci\u00f3n \"vista previa\". Todos los integradores que utilicen estos ejemplos en el c\u00f3digo de producci\u00f3n pueden verse afectados. La vulnerabilidad permite a un atacante ejecutar c\u00f3digo JavaScript abusando de la funci\u00f3n de vista previa mal configurada. Afecta a todos los usuarios que utilizan CKEditor 4 en la versi\u00f3n <4.24.0-lts con muestras afectadas utilizadas en un entorno de producci\u00f3n. Hay una soluci\u00f3n disponible en la versi\u00f3n 4.24.0-lts."}], "lastModified": "2024-02-15T05:01:35.393", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6B9E14F-3103-4A78-A337-47786B2B06ED", "versionEndExcluding": "4.24.0", "versionStartIncluding": "4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}