DRUPAL-CONTRIB-2024-009

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ckeditor_lts/DRUPAL-CONTRIB-2024-009.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-009

Aliases

CVE-2024-13245

Published

2024-02-14T19:31:10Z

Modified

2025-12-10T23:41:32.599517Z

Summary

[none]

Details

The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that on certain configurations may impact the Drupal module that bundles and integrates this code.

The vulnerability is mitigated by the fact it requires:

full-page editing mode is enabled
or CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements) are enabled.
An attacker must have a permission with access to the CKEditor instance.

For more information, see CKEditor's security advisory:
CVE-2024-24815: Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection

References

https://www.drupal.org/sa-contrib-2024-009

Credits

- Juraj Nemec
- - https://www.drupal.org/user/272316

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/ckeditor_lts

Package

Name: drupal/ckeditor_lts
Purl: pkg:composer/drupal/ckeditor_lts

Affected ranges

Type

ECOSYSTEM

Events

Introduced

1.0.0

Fixed

1.0.1

Database specific

{
    "constraint": ">=1.0.0 <1.0.1"
}

Database specific

affected_versions

">=1.0.0 <1.0.1"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ckeditor_lts/DRUPAL-CONTRIB-2024-009.json"