CVE-2024-24815

Name of the Vulnerable Software and Affected Versions CKEditor4 versions prior to 4.24.0-lts

Description A cross-site scripting vulnerability has been discovered in the core HTML parsing module of CKEditor4. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration, which defaults to script and style elements. The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor.

Recommendations For versions prior to 4.24.0-lts, update to version 4.24.0-lts to resolve the issue. As a temporary workaround, consider disabling full-page editing mode or restricting the use of CDATA elements in Advanced Content Filtering configuration to minimize the risk of exploitation. Avoid using the script and style elements in the affected configuration until the issue is resolved.