支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 77a0eaa3726027b0dd46a39ac9ea1c18292169bf

来源
https://github.com/afine-com/CVE-2024-24816
关联漏洞
标题:CKEditor 跨站脚本漏洞 (CVE-2024-24816)
Description:CKEditor是一套开源的、基于网页的文字编辑器。 CKEditor4 4.24.0-lts之前版本存在跨站脚本漏洞,该漏洞源于存在跨站脚本漏洞,允许攻击者通过滥用错误配置的预览功能来执行JavaScript代码。
Description
CKEditor 4 < 4.24.0-lts - XSS vulnerability in samples that use the "preview" feature.
介绍
# CVE-2024-24816
CKEditor 4 < 4.24.0-lts - XSS vulnerability in samples that use the "preview" feature. 

## Timeline
- Vulnerability reported to vendor: 18.07.2024
- New fixed 5.2.8 version released: 07.02.2024
- Public disclosure: 06.01.2024

## Description

Cross-Site-Scripting (XSS) vulnerability in CkEditor 4 sample files. This vulnerability allows an attacker to execute untrusted JavaScript code in the context of the currently logged-in user.

The vulnerability exists in sample files that use the "preview" feature:
```
samples/old/**/*.html
plugins/[plugin name]/samples/**/*.html
```

The following code can be used to achieve XSS using the "preview" feature:
```
<p>&gt;</p>

<p><a href="javascript:alert(document.domain)">XSS</a></p>

<p>&nbsp;</p>
```

This issue was caused by a lack of sanitization of the data passed to "preview" feature. This problem has been fixed in CKEditor 4 at version 4.24.0-lts.

## Affected versions
< 4.24.0-lts

## Advisory
Update CKEditor 4 to version 4.24.0-lts or newer.

### References
* https://ckeditor.com/cke4/release-notes
* https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76
* https://nvd.nist.gov/vuln/detail/CVE-2024-24816
文件快照

 [4.0K]  /data/pocs/77a0eaa3726027b0dd46a39ac9ea1c18292169bf
├── [ 34K]  LICENSE
└── [1.2K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。