CVE-2024-37888

MEDIUM

Mlewand Open Link < 1.0.5 - XSS

Title source: rule

Description

The Open Link is a CKEditor plugin, extending context menu with a possibility to open link in a new tab. The vulnerability allowed to execute JavaScript code by abusing link href attribute. It affects all users using the Open Link plugin at version < **1.0.5**.

Exploits (1)

nomisec WORKING POC 3 stars

by 7Ragnarok7 · poc

https://github.com/7Ragnarok7/CVE-2024-37888

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://github.com/mlewand/ckeditor-plugin-openlink/security/advisories/GHSA-rhxf-gvmh-hrxm

Scores

CVSS v3 6.1

EPSS 0.2064

EPSS Percentile 95.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

mlewand/open_link < 1.0.5

Published Jun 14, 2024

Tracked Since Feb 18, 2026