Lucene search

PRIOn knowledge basePRION:CVE-2024-24815

HistoryFeb 07, 2024 - 4:15 p.m.

Cross site scripting

2024-02-0716:15:00

PRIOn knowledge base

www.prio-n.com

cross site scripting

html editor

security vulnerability

ckeditor4.

6.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.2%

JSON

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.

CPENameOperatorVersion
ckeditorge4.0
ckeditorlt4.24.0

CPE	Name	Operator	Version
	ckeditor	ge	4.0
	ckeditor	lt	4.24.0

References

ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html

ckeditor.com/docs/ckeditor4/latest/features/fullpage.html

ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html

github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb

github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm

www.drupal.org/sa-contrib-2024-009