Detections
Analytics

openSUSE 15 Security Update : python-django-ckeditor (openSUSE-SU-2025:0008-1)

medium Nessus Plugin ID 213541

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

The remote openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2025:0008-1 advisory.

 - Update to 6.7.2
 * Deprecated the package.
 * Added a new ckeditor/fixups.js script which disables the version check again (if something slips through by accident) and which disables the behavior where CKEditor 4 would automatically attach itself to unrelated HTML elements with a contenteditable attribute (see CKEDITOR.disableAutoInline in the CKEditor 4 docs).
 - CVE-2024-24815: Fixed bypass of Advanced Content Filtering mechanism (boo#1219720)

 - update to 6.7.1:
 * Add Python 3.12, Django 5.0
 * Silence the CKEditor version check/nag but include a system check warning

 - update to 6.7.0:
 * Dark mode fixes.
 * Added support for Pillow 10.

 - update to 6.6.1:
 * Required a newer version of django-js-asset which actually works with Django 4.1.
 * CKEditor 4.21.0
 * Fixed the CKEditor styles when used with the dark Django admin theme.

 - update to 6.5.1:
 * Avoided calling ``static()`` if ``CKEDITOR_BASEPATH`` is defined.
 * Fixed ``./manage.py generateckeditorthumbnails`` to work again after the image uploader backend rework.
 * CKEditor 4.19.1
 * Stopped calling ``static()`` during application startup.
 * Added Django 4.1
 * Changed the context for the widget to deviate less from Django. Removed a
 * few template variables which are not used in the bundled
 * ``ckeditor/widget.html`` template. This only affects you if you are using a
 * customized widget or widget template.
 * Dropped support for Python < 3.8, Django < 3.2.
 * Added a pre-commit configuration.
 * Added a GitHub action for running tests.
 * Made selenium tests require opt in using a ``SELENIUM=firefox`` or ``SELENIUM=chromium`` environment variable.
 * Made it possible to override the CKEditor template in the widget class.
 * Changed ``CKEDITOR_IMAGE_BACKEND`` to require dotted module paths (the old identifiers are still supported for now).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected python311-django-ckeditor package.

See Also

https://bugzilla.suse.com/1219720

http://www.nessus.org/u?b3c37f7e

https://www.suse.com/security/cve/CVE-2024-24815

Plugin Details

Severity: Medium

ID: 213541

File Name: openSUSE-2025-0008-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 1/8/2025

Updated: 1/8/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2024-24815

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:15.5, p-cpe:/a:novell:opensuse:python311-django-ckeditor

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 1/7/2025

Vulnerability Publication Date: 2/7/2024

Reference Information

CVE: CVE-2024-24815