/CVE-2024-37888

XSS PoC/Exploit for Open Link Plugin for CKEditor 4

GNU General Public License v3.0GPL-3.0

CVE-2024-37888

This repository documents vulnerability details and exploit for CVE-2024-37888 discovered and reported by myself.

Metrics

Vulnerability Overview

This Proof of Concept (POC) demonstrates the exploitation of an XSS vulnerability discovered by me recently in the Open Link plugin which when enabled, directly affects all versions of CKEditor 4. The flaw allows JavaScript execution through crafted links within the editor, which the plugin fails to sanitize. This flaw can be exploited inside the text area only when the Open Link plugin is installed. The Open Link plugin allows us to open links directly inside the editing area.

Prerequisites

  1. CKEditor (version 4.*.*): https://ckeditor.com/ckeditor-4/download/#ckeditor-4
  2. Open Link Plugin (version < 1.0.5): https://ckeditor.com/cke4/addon/openlink

Reproduction Steps

This vulnerability can be tested from the pre-configured CKEditor instance present here.

  1. Insert Payload:

    • Open the CKEditor instance and click on the "Source" icon.

    • Insert the following payload in the text area:

      <a href="javascript:alert('XSS Found')">XSS</a>

    Payload Insertion Screenshot

  2. Switch to WYSIWYG Mode:

    • Click on the "Source" icon again to switch back to the WYSIWYG mode.
    • Observe that the hyperlink becomes clickable inside the editor.

    Clickable Hyperlink Screenshot

  3. Trigger XSS:

    • Click on the hyperlink within the editor.
    • Observe that the XSS payload is triggered, resulting in an alert box in a new tab.

    XSS Triggered Screenshot

Setup Instructions

You can set up your own local instance to test this vulnerability by following the below steps.

  1. Download CKEditor 4:

    • Download the Full-Package Open-Source edition of CKEditor 4.

    Download

  2. Install Open Link Plugin:

    • Download the Open Link plugin version 1.0.4 from here.
    • Extract and place the contents into the ckeditor/plugins/openlink directory.

    OpenLink

  3. Update Configuration to Include OpenLink plugin:

    • Modify the config.js file of CKEditor by appending the the following lines to the end:
    config.extraPlugins = 'openlink';
    config.linkShowTargetTab = false; // Hide link target tab
    config.openlink_modifier = 0; // No modifier for opening links
    config.openlink_enableReadOnly = true; // Allow links to open in read-only mode
    • Example config.js:
    CKEDITOR.editorConfig = function( config ) {
        // Define changes to default configuration here.
        config.extraPlugins = 'openlink';
        config.linkShowTargetTab = false;
        config.openlink_modifier = 0;
        config.openlink_enableReadOnly = true;
    };
  4. Include CKEditor in HTML:

    • Ensure the CKEditor library is included in your HTML file.
    <!DOCTYPE html>
    <html>
    <head>
        <script src="path/to/ckeditor/ckeditor.js"></script>
    </head>
    <body>
        <textarea name="editor1" id="editor1"></textarea>
        <script>
            CKEDITOR.replace('editor1');
        </script>
    </body>
    </html>

    Demo Page Screenshot

Conclusion

This vulnerability has been discovered in the code base of the Open Link plugin and not in the CKEditor 4 codebase. The above POC demonstrates the exploitation of an XSS vulnerability via Open Link plugin in CKEditor 4.*.*. The flaw allows arbitrary JavaScript execution through specially crafted links, posing a significant security risk.

Advisory

Additional Notice

config.disallowedContent = 'a[onclick]';

Important Links