Source: ckeditor X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for ckeditor. CVE-2024-24815[0]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML | editor. A cross-site scripting vulnerability has been discovered in | the core HTML parsing module in versions of CKEditor4 prior to | 4.24.0-lts. It may affect all editor instances that enabled full- | page editing mode or enabled CDATA elements in Advanced Content | Filtering configuration (defaults to `script` and `style` elements). | The vulnerability allows attackers to inject malformed HTML content | bypassing Advanced Content Filtering mechanism, which could result | in executing JavaScript code. An attacker could abuse faulty CDATA | content detection and use it to prepare an intentional attack on the | editor. A fix is available in version 4.24.0-lts. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb CVE-2024-24816[1]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML | editor. A cross-site scripting vulnerability vulnerability has been | discovered in versions prior to 4.24.0-lts in samples that use the | `preview` feature. All integrators that use these samples in the | production code can be affected. The vulnerability allows an | attacker to execute JavaScript code by abusing the misconfigured | preview feature. It affects all users using the CKEditor 4 at | version < 4.24.0-lts with affected samples used in a production | environment. A fix is available in version 4.24.0-lts. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76 https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24815 https://www.cve.org/CVERecord?id=CVE-2024-24815 [1] https://security-tracker.debian.org/tracker/CVE-2024-24816 https://www.cve.org/CVERecord?id=CVE-2024-24816 Please adjust the affected versions in the BTS as needed.