Moderate severityNVD Advisory· Published Feb 7, 2024· Updated Aug 1, 2024
Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature
CVE-2024-24816
Description
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the preview feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ckeditor4npm | < 4.24.0-lts | 4.24.0-lts |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-mw2c-vx6j-mg76ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-24816ghsaADVISORY
- ckeditor.com/cke4/addon/previewghsax_refsource_MISCWEB
- github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cbghsax_refsource_MISCWEB
- github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.