Lucene search
Copyright (C) 2023 Greenbone AGOPENVAS:1361412562310124477HistoryNov 20, 2023 - 12:00 a.m.
CKEditor < 4.24.0-lts Multiple XSS Vulnerabilities - Windows
2023-11-2000:00:00
Copyright (C) 2023 Greenbone AG
plugins.openvas.org
5
ckeditor
xss
vulnerabilities
windows
cve-2023-4771
cve-2024-24815
cve-2024-24816
update
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.9 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
25.2%
CKEditor 4 is prone to multiple cross-site scripting (XSS)
vulnerabilities.
# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:ckeditor:ckeditor";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.124477");
script_version("2024-02-09T14:47:30+0000");
script_tag(name:"last_modification", value:"2024-02-09 14:47:30 +0000 (Fri, 09 Feb 2024)");
script_tag(name:"creation_date", value:"2023-11-20 07:40:43 +0000 (Mon, 20 Nov 2023)");
script_tag(name:"cvss_base", value:"6.4");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:N");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2023-11-28 19:09:00 +0000 (Tue, 28 Nov 2023)");
script_cve_id("CVE-2023-4771", "CVE-2024-24815", "CVE-2024-24816");
script_tag(name:"qod_type", value:"remote_banner");
script_tag(name:"solution_type", value:"VendorFix");
script_name("CKEditor < 4.24.0-lts Multiple XSS Vulnerabilities - Windows");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2023 Greenbone AG");
script_family("Web application abuses");
script_dependencies("sw_ckeditor_http_detect.nasl", "os_detection.nasl");
script_mandatory_keys("ckeditor/detected", "Host/runs_windows");
script_tag(name:"summary", value:"CKEditor 4 is prone to multiple cross-site scripting (XSS)
vulnerabilities.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"The following vulnerabilities exist:
- CVE-2023-4771: An attacker could send malicious javascript code through the
/ckeditor/samples/old/ajax.html file and retrieve an authorized user's information.
- CVE-2024-24815: An attacker could inject malformed HTML content bypassing Advanced Content
Filtering mechanism, which could result in executing JavaScript code. This could allow to abuse
faulty CDATA content detection and use it to prepare an intentional attack on the editor.
- CVE-2024-24816: An attacker could execute JavaScript code by abusing the misconfigured preview
feature through the samples used in a production mode.");
script_tag(name:"affected", value:"CKEditor prior to version 4.24.0-lts.");
script_tag(name:"solution", value:"Update to version 4.24.0-lts or later.");
script_xref(name:"URL", value:"https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-wh5w-82f3-wrxh");
script_xref(name:"URL", value:"https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm");
script_xref(name:"URL", value:"https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76");
exit(0);
}
include("version_func.inc");
include("host_details.inc");
if ( !port = get_app_port( cpe: CPE ) )
exit( 0 );
if ( !infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )
exit( 0 );
version = infos["version"];
location = infos["location"];
if ( version_is_less( version: version, test_version: "4.24.0" ) ) {
report = report_fixed_ver( installed_version: version, fixed_version: "4.24.0", install_path: location );
security_message( port: port, data: report );
exit( 0 );
}
exit( 99 );
Related
openvas
openvas
CKEditor < 4.24.0-lts Multiple XSS Vulnerabilities - Linux
2023-11-20 00:00:00
nessus
nessus
CKEditor 4.x < 4.24.0-lts Multitple XSS
2024-02-09 00:00:00
osv
osv
CKEditor4 Cross-site Scripting vulnerability in samples with enabled the preview feature
2024-02-07 17:31:34
CVE-2024-24815
2024-02-07 16:15:47
veracode
veracode
Cross Site Scripting (XSS)
2024-02-08 04:14:20
Cross-site Scripting (XSS)
2024-02-08 05:03:09
Cross-site Scripting
2023-11-17 08:27:52
github
github
CKEditor4 Cross-site Scripting vulnerability in samples with enabled the preview feature
2024-02-07 17:31:34
CKEditor cross-site scripting vulnerability in AJAX sample
2024-02-07 17:34:11
ubuntucve
ubuntucve
cnvd
cnvd
CKEditor cross-site scripting vulnerability (CNVD-2024-09868)
2024-02-22 00:00:00
CKEditor cross-site scripting vulnerability (CNVD-2024-09867)
2024-02-22 00:00:00
cve
cve
nvd
nvd
prion
prion
Cross site scripting
2024-02-07 16:15:00
Cross site scripting
2024-02-07 17:15:00
Cross site scripting
2023-11-16 14:15:00
cvelist
cvelist
CVE-2024-24815 CKEditor4 Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection
2024-02-07 15:14:32
CVE-2024-24816 Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature
2024-02-07 16:58:24
CVE-2023-4771 Cross-Site Scripting vulnerability in CKSource CKEditor
2023-11-16 14:08:47
debiancve
debiancve
drupal
drupal
oracle
oracle
Oracle Critical Patch Update Advisory - April 2024
2024-04-16 00:00:00
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.9 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
25.2%
Related for OPENVAS:1361412562310124477