CVE-2024-45400

moderate-risk

Published 2024-09-06

ckeditor-plugin-openlink is a plugin for the CKEditor JavaScript text editor that extends the context menu with a possibility to open a link in a new tab. A vulnerability in versions of the plugin prior to 1.0.7 allowed a user to execute JavaScript code by abusing the link href attribute. The fix is available starting with version 1.0.7.

Do I need to act?

0.80% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Open Link

Affected Vendors

Mlewand

References (2)

Patch https://github.com/mlewand/ckeditor-plugin-openlink/commit/402391fdd4d9cfd079031...

Vendor Advisory https://github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-qj4...

/ 100

moderate-risk

Severity 23/34 · High

Exploitability 3/34 · Minimal

Exposure 5/34 · Minimal