Lucene search

GitHub_MCVELIST:CVE-2024-37888

HistoryJun 14, 2024 - 5:17 p.m.

CVE-2024-37888 The Open Link CKEditor plugin has a cross-site scripting (XSS) vulnerability in open link functionality

2024-06-1417:17:26

CWE-79

GitHub_M

www.cve.org

cve-2024-37888

cross-site scripting

open link plugin

javascript code execution

version 1.0.5

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.0%

JSON

The Open Link is a CKEditor plugin, extending context menu with a possibility to open link in a new tab. The vulnerability allowed to execute JavaScript code by abusing link href attribute. It affects all users using the Open Link plugin at version < 1.0.5.

CNA Affected

[
  {
    "vendor": "mlewand",
    "product": "ckeditor-plugin-openlink",
    "versions": [
      {
        "version": "< 1.0.5",
        "status": "affected"
      }
    ]
  }
]

References

github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-rhxf-gvmh-hrxm

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-37888