CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
25.0%
The vulnerability has been discovered in the core HTML parsing module and may affect all editor instances that:
script
and style
elements).A potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. It affects all users using the CKEditor 4 at version < 4.24.0-lts.
The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.
Email us at [email protected] if you have any questions or comments about this advisory.
The CKEditor 4 team would like to thank Michal Frýba from ALEF NULA for recognizing and reporting this vulnerability.
ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata
ckeditor.com/docs/ckeditor4/latest/features/fullpage.html
ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html
github.com/ckeditor/ckeditor4
github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb
github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm
nvd.nist.gov/vuln/detail/CVE-2024-24815
www.drupal.org/sa-contrib-2024-009
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
25.0%