2263234 – (CVE-2024-24816) CVE-2024-24816 ckeditor: cross-site scripting vulnerability in samples with preview feature enabled

Bug 2263234 (CVE-2024-24816) - CVE-2024-24816 ckeditor: cross-site scripting vulnerability in samples with preview feature enabled

Summary: CVE-2024-24816 ckeditor: cross-site scripting vulnerability in samples with p...

Keywords:
Status:	NEW
Alias:	CVE-2024-24816
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2263235 2263236
Blocks:
TreeView+	depends on / blocked

Reported:	2024-02-07 18:36 UTC by Robb Gatica
Modified:	2024-02-07 18:36 UTC (History)
CC List:	0 users
Fixed In Version:	ckeditor4 4.24.0-lts
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-02-07 18:36:43 UTC

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.

https://ckeditor.com/cke4/addon/preview
https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76

Comment 1 Robb Gatica 2024-02-07 18:36:59 UTC

Created ckeditor tracking bugs for this issue:

Affects: epel-all [bug 2263235]
Affects: fedora-all [bug 2263236]

Note You need to log in before you can comment on or make changes to this bug.