Skip to content

Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature

Low
jacekbogdanski published GHSA-mw2c-vx6j-mg76 Feb 7, 2024

Package

No package listed

Affected versions

< 4.24.0-lts

Patched versions

4.24.0-lts

Description

Affected packages

The vulnerability has been discovered in the samples that use the preview feature:

  • samples/old/**/*.html
  • plugins/[plugin name]/samples/**/*.html

All integrators that use these samples in the production code can be affected.

Impact

A potential vulnerability has been discovered in one of CKEditor's 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment.

Patches

The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 4 team would like to thank Marcin Wyczechowski & Michał Majchrowicz AFINE Team for recognizing and reporting this vulnerability.

Severity

Low

CVE ID

CVE-2024-24816

Weaknesses

No CWEs