CVE-2024-24816 - OpenCVE

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ckeditor	Ckeditor

Configuration 1 [-]

cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://ckeditor.com/cke4/addon/preview
https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-07T16:58:24.564Z

Updated: 2024-08-01T23:28:12.611Z

Reserved: 2024-01-31T16:28:17.942Z

Link: CVE-2024-24816

Vulnrichment

Updated: 2024-08-01T23:28:12.611Z

NVD

Status : Analyzed

Published: 2024-02-07T17:15:11.383

Modified: 2024-02-15T05:01:35.393

Link: CVE-2024-24816

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24816", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-31T16:28:17.942Z", "datePublished": "2024-02-07T16:58:24.564Z", "dateUpdated": "2024-08-01T23:28:12.611Z"}, "containers": {"cna": {"title": "Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76"}, {"name": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb", "tags": ["x_refsource_MISC"], "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb"}, {"name": "https://ckeditor.com/cke4/addon/preview", "tags": ["x_refsource_MISC"], "url": "https://ckeditor.com/cke4/addon/preview"}], "affected": [{"vendor": "ckeditor", "product": "ckeditor4", "versions": [{"version": "< 4.24.0-lts", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-07T16:58:24.564Z"}, "descriptions": [{"lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts."}], "source": {"advisory": "GHSA-mw2c-vx6j-mg76", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24816", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-21T20:41:03.498820Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:43:36.184Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.611Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76"}, {"name": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb"}, {"name": "https://ckeditor.com/cke4/addon/preview", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ckeditor.com/cke4/addon/preview"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76", "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb", "name": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://ckeditor.com/cke4/addon/preview", "name": "https://ckeditor.com/cke4/addon/preview", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.611Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24816", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-21T20:41:03.498820Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:12.608Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature", "source": {"advisory": "GHSA-mw2c-vx6j-mg76", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "ckeditor", "product": "ckeditor4", "versions": [{"status": "affected", "version": "< 4.24.0-lts"}]}], "references": [{"url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76", "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb", "name": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb", "tags": ["x_refsource_MISC"]}, {"url": "https://ckeditor.com/cke4/addon/preview", "name": "https://ckeditor.com/cke4/addon/preview", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-07T16:58:24.564Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24816", "state": "PUBLISHED", "dateUpdated": "2024-08-01T23:28:12.611Z", "dateReserved": "2024-01-31T16:28:17.942Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-07T16:58:24.564Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6B9E14F-3103-4A78-A337-47786B2B06ED", "versionEndExcluding": "4.24.0", "versionStartIncluding": "4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts."}, {"lang": "es", "value": "CKEditor4 es un editor HTML de c\u00f3digo abierto de lo que ves es lo que obtienes. Se descubri\u00f3 una vulnerabilidad de cross-site scripting en versiones anteriores a la 4.24.0-lts en muestras que utilizan la funci\u00f3n \"vista previa\". Todos los integradores que utilicen estos ejemplos en el c\u00f3digo de producci\u00f3n pueden verse afectados. La vulnerabilidad permite a un atacante ejecutar c\u00f3digo JavaScript abusando de la funci\u00f3n de vista previa mal configurada. Afecta a todos los usuarios que utilizan CKEditor 4 en la versi\u00f3n <4.24.0-lts con muestras afectadas utilizadas en un entorno de producci\u00f3n. Hay una soluci\u00f3n disponible en la versi\u00f3n 4.24.0-lts."}], "id": "CVE-2024-24816", "lastModified": "2024-02-15T05:01:35.393", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-02-07T17:15:11.383", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://ckeditor.com/cke4/addon/preview"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}