[From nobody Wed Apr 8 08:45:08 2026 Received: (at submit) by bugs.debian.org; 9 Feb 2024 14:04:05 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02 (2021-04-09) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-4.8 required=4.0 tests=BAYES_00,FOURLA, FVGT_m_MULTI_ODD,MD5_SHA1_SUM,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 41; hammy, 150; neutral, 58; spammy, 0. spammytokens: hammytokens:0.000-+--H*RU:inutil.org, 0.000-+--H*r:jmm, 0.000-+--UD:security-tracker.debian.org, 0.000-+--security-tracker.debian.org, 0.000-+--securitytrackerdebianorg Return-path: <jmm@inutil.org> Received: from inutil.org ([109.69.64.57]:43726 helo=viruvalge.hosting.plutex.de) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from <jmm@inutil.org>) id 1rYRU2-00HUhY-TY for submit@bugs.debian.org; Fri, 09 Feb 2024 14:04:04 +0000 Received: by viruvalge.hosting.plutex.de (Postfix, from userid 112) id 01BA2403B2; Fri, 9 Feb 2024 15:04:01 +0100 (CET) Received: from hullmann.fritz.box (p548dcf37.dip0.t-ipconnect.de [84.141.207.55]) by viruvalge.hosting.plutex.de (Postfix) with ESMTPSA id C60134008D for <submit@bugs.debian.org>; Fri, 9 Feb 2024 15:04:00 +0100 (CET) Received: from jmm by hullmann.fritz.box with local (Exim 4.96) (envelope-from <jmm@hullmann.westfalen.local>) id 1rYRTy-0002AY-0f for submit@bugs.debian.org; Fri, 09 Feb 2024 15:03:58 +0100 Date: Fri, 9 Feb 2024 15:03:58 +0100 To: submit@bugs.debian.org Subject: ckeditor: CVE-2024-24815 CVE-2024-24816 Message-ID: <ZcYwzkmhK6Bw+XaP@pisco.westfalen.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline From: =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= <jmm@inutil.org> Delivered-To: submit@bugs.debian.org Source: ckeditor X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for ckeditor. CVE-2024-24815[0]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML | editor. A cross-site scripting vulnerability has been discovered in | the core HTML parsing module in versions of CKEditor4 prior to | 4.24.0-lts. It may affect all editor instances that enabled full- | page editing mode or enabled CDATA elements in Advanced Content | Filtering configuration (defaults to `script` and `style` elements). | The vulnerability allows attackers to inject malformed HTML content | bypassing Advanced Content Filtering mechanism, which could result | in executing JavaScript code. An attacker could abuse faulty CDATA | content detection and use it to prepare an intentional attack on the | editor. A fix is available in version 4.24.0-lts. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb CVE-2024-24816[1]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML | editor. A cross-site scripting vulnerability vulnerability has been | discovered in versions prior to 4.24.0-lts in samples that use the | `preview` feature. All integrators that use these samples in the | production code can be affected. The vulnerability allows an | attacker to execute JavaScript code by abusing the misconfigured | preview feature. It affects all users using the CKEditor 4 at | version < 4.24.0-lts with affected samples used in a production | environment. A fix is available in version 4.24.0-lts. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76 https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24815 https://www.cve.org/CVERecord?id=CVE-2024-24815 [1] https://security-tracker.debian.org/tracker/CVE-2024-24816 https://www.cve.org/CVERecord?id=CVE-2024-24816 Please adjust the affected versions in the BTS as needed. ]