CVE-2024-37888 is a cross-site scripting vulnerability in the CKEditor 4 Open Link plugin that lets attackers run arbitrary JavaScript in a user’s browser through manipulated links. Exploitation requires user interaction and is fixed in Open Link 1.0.5 and later. #CVE-2024-37888 #OpenLinkPlugin
Keypoints
- CVE-2024-37888 affects the CKEditor 4 Open Link plugin.
- The flaw allows execution of arbitrary JavaScript code in the user’s browser.
- Exploitation requires direct user interaction (e.g., a manipulated link within the editor).
- The vulnerability was discovered during a NetSPI client engagement.
- Affected versions: Open Link Plugin versions < 1.0.5.
- The issue exists in the Open Link plugin codebase, not CKEditor 4 itself, and the fix is in Open Link 1.0.5+.
- Exploitation can lead to session hijacking, defacement, or data theft.
MITRE Techniques
- [T1203] Exploitation for Client Execution – Exploitation of the XSS vulnerability allows execution of arbitrary JavaScript in the victim’s browser. [‘Exploitation of the XSS vulnerability allows execution of arbitrary JavaScript in the victim’s browser.’]
- [T1499] Impact – Potential for session hijacking, defacement, or data theft due to arbitrary code execution. [‘Potential for session hijacking, defacement, or data theft due to arbitrary code execution.’]
Indicators of Compromise
- [URL] CVE-related sources – https://nvd.nist.gov/vuln/detail/CVE-2024-37888, https://github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-rhxf-gvmh-hrxm
- [GitCommit] Open Link plugin vulnerability commit – d98ca940715cf4fa425194e104dfa54a76c987af
- [Payload] Exploit payload used in reproduction – <a href=”javascript:alert(‘XSS Found’)”>XSS</a>
Read more: https://www.netspi.com/blog/technical-blog/web-application-pentesting/cve-2024-37888-ckeditor-4/