Fluid Attacks Database

Description

CKEditor4 Cross-site Scripting vulnerability in samples with enabled the preview feature

Affected packages

The vulnerability has been discovered in the samples that use the preview feature:

samples/old/**/*.html

plugins/[plugin name]/samples/**/*.html

All integrators that use these samples in the production code can be affected.

Impact

A potential vulnerability has been discovered in one of CKEditor's 4 samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment.

Patches

The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 4 team would like to thank Marcin Wyczechowski & Michał Majchrowicz AFINE Team for recognizing and reporting this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	ckeditor	=4.16.0+dfsg-2 \|\| =4.16.2+dfsg-1 \|\| =4.19.0+dfsg-1 \|\| =4.19.1+dfsg-1 \|\| =4.22.1+dfsg-1 \|\| =4.22.1+dfsg1-2	-
npm	ckeditor4	>=0 <4.24.0-lts	4.24.0-lts
debian 12	ckeditor	=4.19.1+dfsg-1 \|\| =4.22.1+dfsg-1 \|\| =4.22.1+dfsg1-2	-
debian 11	ckeditor3	=3.6.6.1+dfsg-7	-
debian 12	ckeditor3	=3.6.6.1+dfsg-7	-

Aliases

1. CVE-2024-248162. NVD-2024-248163. OSV-DEBIAN-2024-248164. OSV-2024-248165. GHSA-mw2c-vx6j-mg766. GCVE-2024-248167. SECURITY-TRACKER-CVE-2024-24816

References

1. https://github.com/afine-com/CVE-2024-248162. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg763. https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb4. https://ckeditor.com/cke4/addon/preview