CVE-2024-24815: CKEditor4 Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection

Published Feb 7, 2024
·
Updated

Affected packages The vulnerability has been discovered in the core HTML parsing module and may affect all editor instances that: Enabled full-page editing mode, or enabled CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements).

Impact

A potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. It affects all users using the CKEditor 4 at version < 4.24.0-lts.

Patches The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.

For more information Email us at security@cksource.com if you have any questions or comments about this advisory.

Acknowledgements The CKEditor 4 team would like to thank Michal Frýba from ALEF NULA for recognizing and reporting this vulnerability.

Other sources

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.

NVD

Affected Software

5 affected componentsFixes available
composer/ckeditor/ckeditor<4.24.0
4.24.0
npm/ckeditor4<4.24.0-lts
4.24.0-lts
debian/ckeditor<=4.16.0+dfsg-2, <=4.19.1+dfsg-1, <=4.22.1+dfsg1-2
debian/ckeditor3<=3.6.6.1+dfsg-7
CKEditor CKEditor>=4.0<4.24.0

Remediation

Patch Available

https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb

Event History

Feb 7, 2024
CVE Published
via MITRE·03:14 PM
Data Sourced
via MITRE·03:14 PM
DescriptionSeverityWeakness
Advisory Published
via GitHub·05:30 PM
Feb 6, 2025
Data Sourced
via Debian·06:38 AM
DescriptionAffected Software
Data Sourced
via Launchpad·06:38 AM
Description
Feb 10, 2025
Data Sourced
via Ubuntu·06:37 AM
RemedyDescriptionSeverityAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-24815?

CVE-2024-24815 is classified as a moderate severity vulnerability affecting the core HTML parsing module of CKEditor.

2

How do I fix CVE-2024-24815?

To fix CVE-2024-24815, you should upgrade to CKEditor version 4.24.0 or later.

3

Which software versions are affected by CVE-2024-24815?

CVE-2024-24815 affects CKEditor versions prior to 4.24.0 and 4.24.0-lts.

4

What features of CKEditor are impacted by CVE-2024-24815?

CVE-2024-24815 impacts CKEditor instances that have enabled full-page editing or CDATA mode.

5

Is there a workaround for CVE-2024-24815 if I can't upgrade?

Currently, the best approach to mitigate CVE-2024-24815 is to disable full-page editing and CDATA mode until an upgrade can be completed.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203