CVE-2024-24815: 
JavaScript vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability has been discovered in CKEditor4, an open source what-you-see-is-what-you-get HTML editor, tracked as CVE-2024-24815. The vulnerability was found in the core HTML parsing module in versions prior to 4.24.0-lts. It affects editor instances that have enabled either full-page editing mode or CDATA elements in Advanced Content Filtering configuration (which defaults to script and style elements) (GitHub Advisory, NVD).

The vulnerability stems from incorrect CDATA detection in the HTML parsing module. The issue allows attackers to bypass the Advanced Content Filtering mechanism by injecting malformed HTML content. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

A successful exploitation of this vulnerability could result in executing arbitrary JavaScript code in the context of the editor. This could potentially lead to cross-site scripting attacks when malicious content is processed by the editor (GitHub Advisory).

The vulnerability has been patched in version 4.24.0-lts. Users are advised to upgrade to this version to mitigate the risk. No alternative workarounds have been provided (GitHub Advisory).

The CKEditor 4 team acknowledged Michal Frýba from ALEF NULA for recognizing and reporting this vulnerability (GitHub Advisory).