6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-24815

GHSA ID

GHSA-fq6h-4g8v-qqvm

EPSS Score

0.31325%

CWE

CWE-79

Published

2/7/2024

Updated

3/6/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-24815

CVE-2024-24815: CKEditor4 Cross-site Scripting vulnerability caused by incorrect CDATA detection

Affected packages

The vulnerability has been discovered in the core HTML parsing module and may affect all editor instances that:

Enabled full-page editing mode,
or enabled CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements).

Impact

A potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. It affects all users using the CKEditor 4 at version < 4.24.0-lts.

Patches

The problem has been recognized and patched. The fix will be available in version 4.24.0-lts.

For more information

Email us at security@cksource.com if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 4 team would like to thank Michal Frýba from ALEF NULA for recognizing and reporting this vulnerability.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-24815

GHSA ID

GHSA-fq6h-4g8v-qqvm

EPSS Score

0.31325%

CWE

CWE-79

Published

2/7/2024

Updated

3/6/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ckeditor4	npm	< 4.24.0-lts	4.24.0-lts
ckeditor/ckeditor	composer	< 4.24.0	4.24.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the HTML parser's CDATA processing in core/htmlparser.js. The commit diff shows critical changes to CDATA handling:- Removed conditional text accumulation in cdata array- Changed cdata.join('') to direct cdata passing- Added regex-based CDATA boundary detection. The original implementation's incremental text accumulation and improper CDATA termination checks allowed attackers to inject unescaped content between CDATA tags that would bypass ACF validation. The patch fixes this by using strict regex matching for CDATA section boundaries.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### *****t** p**k***s T** vuln*r**ility **s ***n *is*ov*r** in t** *or* *TML p*rsin* mo*ul* *n* m*y *****t *ll **itor inst*n**s t**t: * *n**l** [*ull-p*** **itin*](*ttps://*k**itor.*om/*o*s/*k**itor*/l*t*st/***tur*s/*ullp***.*tml) mo**, * or *n**l**

Reasoning

T** vuln*r**ility st*ms *rom t** *TML p*rs*r's ***T* pro**ssin* in `*or*/*tmlp*rs*r.js`. T** *ommit *i** s*ows *riti**l ***n**s to ***T* **n*lin*:- R*mov** *on*ition*l t*xt ***umul*tion in ***t* *rr*y- ***n*** `***t*.join('')` to *ir**t ***t* p*ssin*

6.1

Basic Information

Concerned about an active attack path?

CVE-2024-24815: CKEditor4 Cross-site Scripting vulnerability caused by incorrect CDATA detection

Affected packages

Impact

Patches

For more information

Acknowledgements

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI