Skip to content

afine-com/CVE-2024-24816

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

CVE-2024-24816

CKEditor 4 < 4.24.0-lts - XSS vulnerability in samples that use the "preview" feature.

Timeline

  • Vulnerability reported to vendor: 18.07.2024
  • New fixed 5.2.8 version released: 07.02.2024
  • Public disclosure: 06.01.2024

Description

Cross-Site-Scripting (XSS) vulnerability in CkEditor 4 sample files. This vulnerability allows an attacker to execute untrusted JavaScript code in the context of the currently logged-in user.

The vulnerability exists in sample files that use the "preview" feature:

samples/old/**/*.html
plugins/[plugin name]/samples/**/*.html

The following code can be used to achieve XSS using the "preview" feature:

<p>&gt;</p>

<p><a href="javascript:alert(document.domain)">XSS</a></p>

<p>&nbsp;</p>

This issue was caused by a lack of sanitization of the data passed to "preview" feature. This problem has been fixed in CKEditor 4 at version 4.24.0-lts.

Affected versions

< 4.24.0-lts

Advisory

Update CKEditor 4 to version 4.24.0-lts or newer.

References

About

CKEditor 4 < 4.24.0-lts - XSS vulnerability in samples that use the "preview" feature.

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published