CVE-2024-37888 - Vulnerability Details - OpenCVE

Description

The Open Link is a CKEditor plugin, extending context menu with a possibility to open link in a new tab. The vulnerability allowed to execute JavaScript code by abusing link href attribute. It affects all users using the Open Link plugin at version < **1.0.5**.

Published: 2024-06-14

Score: 6.1 Medium

EPSS: 20.6% Moderate

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mlewand

ckeditor-plugin-openlink

affected

Version	Status	Constraints
`< 1.0.5`	affected	—

Configuration 1 [-]

cpe:2.3:a:mlewand:open_link:*:*:*:*:*:ckeditor:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.20643.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-rhxf-gvmh-hrxm

History

Thu, 08 Aug 2024 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mlewand Mlewand open Link
CPEs		cpe:2.3:a:mlewand:open_link::::::ckeditor::*
Vendors & Products		Mlewand Mlewand open Link

Subscriptions

Mlewand Open Link

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-14T17:17:26.758Z

Updated: 2024-08-02T03:57:40.013Z

Reserved: 2024-06-10T19:54:41.360Z

Link: CVE-2024-37888

Vulnrichment

Updated: 2024-07-11T19:17:21.693Z

NVD

Status : Modified

Published: 2024-06-14T18:15:27.790

Modified: 2024-11-21T09:24:28.543

Link: CVE-2024-37888

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37888", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-10T19:54:41.360Z", "datePublished": "2024-06-14T17:17:26.758Z", "dateUpdated": "2024-08-02T03:57:40.013Z"}, "containers": {"cna": {"title": "The Open Link CKEditor plugin has a cross-site scripting (XSS) vulnerability in open link functionality", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-rhxf-gvmh-hrxm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-rhxf-gvmh-hrxm"}], "affected": [{"vendor": "mlewand", "product": "ckeditor-plugin-openlink", "versions": [{"version": "< 1.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-14T17:17:26.758Z"}, "descriptions": [{"lang": "en", "value": "The Open Link is a CKEditor plugin, extending context menu with a possibility to open link in a new tab. The vulnerability allowed to execute JavaScript code by abusing link href attribute. It affects all users using the Open Link plugin at version < **1.0.5**."}], "source": {"advisory": "GHSA-rhxf-gvmh-hrxm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-11T19:17:17.006942Z", "id": "CVE-2024-37888", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-12T16:02:42.657Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:57:40.013Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-rhxf-gvmh-hrxm", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-rhxf-gvmh-hrxm"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37888", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-11T19:17:17.006942Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-11T19:17:21.693Z"}}], "cna": {"title": "The Open Link CKEditor plugin has a cross-site scripting (XSS) vulnerability in open link functionality", "source": {"advisory": "GHSA-rhxf-gvmh-hrxm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "mlewand", "product": "ckeditor-plugin-openlink", "versions": [{"status": "affected", "version": "< 1.0.5"}]}], "references": [{"url": "https://github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-rhxf-gvmh-hrxm", "name": "https://github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-rhxf-gvmh-hrxm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "The Open Link is a CKEditor plugin, extending context menu with a possibility to open link in a new tab. The vulnerability allowed to execute JavaScript code by abusing link href attribute. It affects all users using the Open Link plugin at version < **1.0.5**."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-14T17:17:26.758Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37888", "state": "PUBLISHED", "dateUpdated": "2024-07-12T16:02:42.657Z", "dateReserved": "2024-06-10T19:54:41.360Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-14T17:17:26.758Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mlewand:open_link:*:*:*:*:*:ckeditor:*:*", "matchCriteriaId": "16D07EE1-6CA4-425C-80D5-7F53DED13D35", "versionEndExcluding": "1.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Open Link is a CKEditor plugin, extending context menu with a possibility to open link in a new tab. The vulnerability allowed to execute JavaScript code by abusing link href attribute. It affects all users using the Open Link plugin at version < **1.0.5**."}, {"lang": "es", "value": "Open Link es un complemento de CKEditor que ampl\u00eda el men\u00fa contextual con la posibilidad de abrir un enlace en una nueva pesta\u00f1a. La vulnerabilidad permit\u00eda ejecutar c\u00f3digo JavaScript abusando del atributo href del enlace. Afecta a todos los usuarios que utilizan el complemento Open Link en la versi\u00f3n <**1.0.5**."}], "id": "CVE-2024-37888", "lastModified": "2024-11-21T09:24:28.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-14T18:15:27.790", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-rhxf-gvmh-hrxm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-rhxf-gvmh-hrxm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}