Skip to content
/ CVE-2024-24816 Public
forked from afine-com/CVE-2024-24816

CKEditor 4 < 4.24.0-lts - XSS vulnerability in samples that use the "preview" feature.

License

GPL-3.0 license
0 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AstonishedLiker/CVE-2024-24816

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

CVE-2024-24816

CKEditor 4 < 4.24.0-lts - XSS vulnerability in samples that use the "preview" feature.

Timeline

  • Vulnerability reported to vendor: 18.07.2024
  • New fixed 5.2.8 version released: 07.02.2024
  • Public disclosure: 06.01.2024

Description

Cross-Site-Scripting (XSS) vulnerability in CkEditor 4 sample files. This vulnerability allows an attacker to execute untrusted JavaScript code in the context of the currently logged-in user.

The vulnerability exists in sample files that use the "preview" feature:

samples/old/**/*.html
plugins/[plugin name]/samples/**/*.html

The following code can be used to achieve XSS using the "preview" feature:

<p>&gt;</p>

<p><a href="javascript:alert(document.domain)">XSS</a></p>

<p>&nbsp;</p>

This issue was caused by a lack of sanitization of the data passed to "preview" feature. This problem has been fixed in CKEditor 4 at version 4.24.0-lts.

Affected versions

< 4.24.0-lts

Advisory

Update CKEditor 4 to version 4.24.0-lts or newer.

References

About

CKEditor 4 < 4.24.0-lts - XSS vulnerability in samples that use the "preview" feature.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published