CVE-2024-24816

Name of the Vulnerable Software and Affected Versions CKEditor 4 versions prior to 4.24.0-lts

Description A cross-site scripting vulnerability has been discovered in CKEditor 4, affecting versions prior to 4.24.0-lts that use the preview feature. This vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment.

Recommendations For CKEditor 4 versions prior to 4.24.0-lts, update to version 4.24.0-lts to resolve the issue. As a temporary workaround, consider disabling the preview feature until a patch is available. Restrict access to the affected samples, such as samples/old/**/*.html and plugins/[plugin name]/samples/**/*.html, to minimize the risk of exploitation. Avoid using the misconfigured preview feature in production environments until the issue is resolved.