CVE-2024-24816

Name	CVE-2024-24816
Description	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1063536, 1063537

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ckeditor (PTS)	buster	4.11.1+dfsg-1	vulnerable
	bullseye	4.16.0+dfsg-2	vulnerable
	bookworm	4.19.1+dfsg-1	vulnerable
	trixie, sid	4.22.1+dfsg1-2	vulnerable
ckeditor3 (PTS)	buster	3.6.6.1+dfsg-3	vulnerable
	trixie, sid, bookworm, bullseye	3.6.6.1+dfsg-7	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Debian Bugs
ckeditor	source	(unstable)	(unfixed)		1063536
ckeditor3	source	buster	(unfixed)	end-of-life
ckeditor3	source	(unstable)	(unfixed)		1063537

Notes

[bookworm] - ckeditor <no-dsa> (Minor issue)
[bullseye] - ckeditor <no-dsa> (Minor issue)
[buster] - ckeditor <no-dsa> (Minor issue)
[bookworm] - ckeditor3 <no-dsa> (Minor issue)
[bullseye] - ckeditor3 <no-dsa> (Minor issue)
[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76
https://github.com/ckeditor/ckeditor4/commit/7518202f0f228ee5549a36ecb7cb880b06ea5add (4.24.0-lts)