logo

Database

Reflected cross-site scripting (XSS) In drupal/ckeditor_lts

Description

The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that on certain configurations may impact the Drupal module that bundles and integrates this code.

The vulnerability is mitigated by the fact it requires:

    full-page editing mode is enabled

    or CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements) are enabled.

    An attacker must have a permission with access to the CKEditor instance.

For more information, see CKEditor's security advisory:
CVE-2024-24815: Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-132452. NVD-2024-132453. OSV-DRUPAL-CONTRIB-2024-0094. OSV-2024-132455. GCVE-2024-132456. drupal.org

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.