cvelistv5 - cve-2024-24815

URL	Tags
security-advisories@github.com	https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata	Product
security-advisories@github.com	https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html	Product
security-advisories@github.com	https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html	Product
security-advisories@github.com	https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb	Patch
security-advisories@github.com	https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm	Vendor Advisory
security-advisories@github.com	https://www.drupal.org/sa-contrib-2024-009

▼	Vendor	Product
	ckeditor	ckeditor4

ghsa-fq6h-4g8v-qqvm

Vulnerability from github

Published

2024-02-07 17:30

Modified

2024-03-06 15:35

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

CKEditor4 Cross-site Scripting vulnerability caused by incorrect CDATA detection

Details

Affected packages

The vulnerability has been discovered in the core HTML parsing module and may affect all editor instances that: * Enabled full-page editing mode, * or enabled CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements).

Impact

A potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. It affects all users using the CKEditor 4 at version < 4.24.0-lts.

Patches

The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.

For more information

Email us at security@cksource.com if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 4 team would like to thank Michal Frýba from ALEF NULA for recognizing and reporting this vulnerability.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ckeditor4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.24.0-lts"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ckeditor/ckeditor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24815"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-07T17:30:37Z",
    "nvd_published_at": "2024-02-07T16:15:47Z",
    "severity": "MODERATE"
  },
  "details": "### Affected packages\nThe vulnerability has been discovered in the core HTML parsing module and may affect all editor instances that:\n* Enabled [full-page editing](https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html) mode,\n* or enabled [CDATA](https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata) elements in [Advanced Content Filtering](https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html) configuration (defaults to `script` and `style` elements).\n\n### Impact\n\nA potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. It affects all users using the CKEditor 4 at version \u003c 4.24.0-lts.\n\n### Patches\nThe problem has been recognized and patched. The fix will be available in version 4.24.0-lts.\n\n### For more information\nEmail us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory.\n\n### Acknowledgements\nThe CKEditor 4 team would like to thank [Michal Fr\u00fdba](https://cz.linkedin.com/in/michal-fryba) from [ALEF NULA](https://www.alefnula.com/) for recognizing and reporting this vulnerability.",
  "id": "GHSA-fq6h-4g8v-qqvm",
  "modified": "2024-03-06T15:35:17Z",
  "published": "2024-02-07T17:30:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24815"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb"
    },
    {
      "type": "WEB",
      "url": "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata"
    },
    {
      "type": "WEB",
      "url": "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html"
    },
    {
      "type": "WEB",
      "url": "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ckeditor/ckeditor4"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2024-009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CKEditor4 Cross-site Scripting vulnerability caused by incorrect CDATA detection"
}

gsd-2024-24815

Vulnerability from gsd

Modified

2024-02-01 06:02

Details

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.

Aliases

CVE-2024-24815

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-24815"
      ],
      "details": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.",
      "id": "GSD-2024-24815",
      "modified": "2024-02-01T06:02:24.355473Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-24815",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "ckeditor4",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 4.24.0-lts"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "ckeditor"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-79",
                "lang": "eng",
                "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm",
            "refsource": "MISC",
            "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm"
          },
          {
            "name": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb",
            "refsource": "MISC",
            "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb"
          },
          {
            "name": "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata",
            "refsource": "MISC",
            "url": "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata"
          },
          {
            "name": "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html",
            "refsource": "MISC",
            "url": "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html"
          },
          {
            "name": "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html",
            "refsource": "MISC",
            "url": "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html"
          },
          {
            "name": "https://www.drupal.org/sa-contrib-2024-009",
            "refsource": "MISC",
            "url": "https://www.drupal.org/sa-contrib-2024-009"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-fq6h-4g8v-qqvm",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:lts:*:*:*",
                    "matchCriteriaId": "5070BF32-E186-434A-9640-21D43A3CDA38",
                    "versionEndExcluding": "4.24.0",
                    "versionStartIncluding": "4.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts."
          },
          {
            "lang": "es",
            "value": "CKEditor4 es un editor HTML de c\u00f3digo abierto de lo que ves es lo que obtienes. Se ha descubierto una vulnerabilidad de cross-site scripting en el m\u00f3dulo principal de an\u00e1lisis HTML en versiones de CKEditor4 anteriores a la 4.24.0-lts. Puede afectar a todas las instancias del editor que habilitaron el modo de edici\u00f3n de p\u00e1gina completa o habilitaron elementos CDATA en la configuraci\u00f3n de filtrado de contenido avanzado (los elementos predeterminados son `script` y `style`). La vulnerabilidad permite a los atacantes inyectar contenido HTML con formato incorrecto sin pasar por el mecanismo de filtrado de contenido avanzado, lo que podr\u00eda resultar en la ejecuci\u00f3n de c\u00f3digo JavaScript. Un atacante podr\u00eda abusar de la detecci\u00f3n de contenido CDATA defectuosa y utilizarla para preparar un ataque intencional al editor. Hay una soluci\u00f3n disponible en la versi\u00f3n 4.24.0-lts."
          }
        ],
        "id": "CVE-2024-24815",
        "lastModified": "2024-03-06T10:15:45.293",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 2.7,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 2.7,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-07T16:15:47.753",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Product"
            ],
            "url": "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Product"
            ],
            "url": "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Product"
            ],
            "url": "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://www.drupal.org/sa-contrib-2024-009"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-79"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

wid-sec-w-2024-0400

Vulnerability from csaf_certbund

Published

2024-02-14 23:00

Modified

2024-02-14 23:00

Summary

Drupal: Schwachstelle ermöglicht Cross-Site Scripting

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Drupal ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Drupal ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "niedrig"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Drupal ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. \u00dcber zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Drupal ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0400 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0400.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0400 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0400"
      },
      {
        "category": "external",
        "summary": "Drupal Security Advisory vom 2024-02-14",
        "url": "https://www.drupal.org/sa-contrib-2024-009"
      }
    ],
    "source_lang": "en-US",
    "title": "Drupal: Schwachstelle erm\u00f6glicht Cross-Site Scripting",
    "tracking": {
      "current_release_date": "2024-02-14T23:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T18:00:37.135+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2024-0400",
      "initial_release_date": "2024-02-14T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-02-14T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "CKEditor \u003c 1.0.1",
                "product": {
                  "name": "Open Source Drupal CKEditor \u003c 1.0.1",
                  "product_id": "T032835",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:drupal:drupal:ckeditor__1.0.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Drupal"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-24815",
      "notes": [
        {
          "category": "description",
          "text": "In Drupal existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden in CKEditor nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, authentifiziert Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "release_date": "2024-02-14T23:00:00Z",
      "title": "CVE-2024-24815"
    }
  ]
}

cve-2024-24815

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

cve-2024-24815

Vulnerability from cvelistv5

ghsa-fq6h-4g8v-qqvm

Vulnerability from github

Affected packages

Impact

Patches

For more information

Acknowledgements

gsd-2024-24815

Vulnerability from gsd

wid-sec-w-2024-0400

Vulnerability from csaf_certbund

Tags

Sightings

Nomenclature