Detections
Analytics

CKEditor < 4.24.0-LTS Multiples Cross-Site Scripting

medium Web App Scanning Plugin ID 114426

Language:

Synopsis

CKEditor < 4.24.0-LTS Multiples Cross-Site Scripting

Description

According to its self-reported version number, the CKEditor application running on the remote host is prior to 4.24.0-LTS. It is, therefore, affected by multiples Cross-Site-Scripting :

- In samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. - In samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. - Through processing core module. The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to CKEditor version 4.24.0-LTS or later.

See Also

https://ckeditor.com/cke4/release/CKEditor-4.24.0-LTS

Plugin Details

Severity: Medium

ID: 114426

Type: remote

Published: 9/9/2024

Updated: 9/9/2024

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2023-4771

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS Score Source: CVE-2023-4771

Vulnerability Information

CPE: cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/7/2024

Vulnerability Publication Date: 2/7/2024

Reference Information

CVE: CVE-2023-4771, CVE-2024-24815, CVE-2024-24816