CVE-2024-24816

moderate-risk
Published 2024-02-07

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.

Do I need to act?

!
39.8% chance of exploitation in next 30 days
EPSS score — higher than 60% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Ckeditor

References (6)

Product https://ckeditor.com/cke4/addon/preview
Patch https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972...
Vendor Advisory https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76
Product https://ckeditor.com/cke4/addon/preview
Patch https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972...
Vendor Advisory https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76
45
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 17/34 · Moderate
Exposure 5/34 · Minimal