According to its self-reported version number, the CKEditor application running on the remote host is prior to 4.24.0-LTS. It is, therefore, affected by multiples Cross-Site-Scripting :

- In samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. - In samples that are shipped with production code. The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. - Through processing core module. The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of IBM Engineering Requirements Management DOORS (formerly IBM Rational DOORS) installed on the remote host is 9.7.2.9 prior to 9.7.2.10. It is, therefore, affected by multiple vulnerabilities as referenced in the 7238992 advisory.

  - CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the     core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject     malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It     affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The     fix will be available in version 4.17.0. (CVE-2021-41165)

  - CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the     Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to     inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects     all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be     available in version 4.17.0. (CVE-2021-41164)

  - It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted     text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin). (CVE-2021-26271)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of CKEditor included on the remote web host is 4.x prior to 4.24.0-lts. It may, therefore, be affected by multiple cross-site scripting (XSS) vulnerabilities.

 - A cross-site scripting vulnerability affecting editor instances that enabled full-page editing mode or    enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style`    elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced    Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse    faulty CDATA content detection and use it to prepare an intentional attack on the editor. (CVE-2024-24815)

 - A cross-site scripting vulnerability in samples that use the `preview` feature. All integrators that use    these samples in the production code can be affected. The vulnerability allows an attacker to execute    JavaScript code by abusing the misconfigured preview feature. (CVE-2024-24816)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability     vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview`     feature. All integrators that use these samples in the production code can be affected. The vulnerability     allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all     users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment.
    A fix is available in version 4.24.0-lts. (CVE-2024-24816)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-7258-1 advisory.

    Kevin Backhouse discovered that CKEditor did not properly sanitize HTML content. An attacker could     possibly use this issue to perform cross site scripting and obtain sensitive information. This issue only     affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24728)

    It was discovered that CKEditor did not properly handle the creation of editor instances in the Iframe     Dialog and Media Embed packages. An attacker could possibly use this issue to perform cross site scripting     and obtain sensitive information. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu     20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-28439)

    It was discovered that CKEditor did not properly handle parsing HTML content. An attacker could possibly     use this issue to perform cross site scripting and obtain sensitive information. (CVE-2024-24815,     CVE-2024-24816)

    It was discovered that CKEditor did not properly sanitize version notifications. An attacker could     possibly use this issue to perform cross site scripting and obtain sensitive information. This issue only     affected Ubuntu 24.04 LTS and Ubuntu 24.10. (CVE-2024-43411)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
114426	CKEditor < 4.24.0-LTS Multiples Cross-Site Scripting	Web App Scanning	Component Vulnerability	9/9/2024	9/9/2024	medium
242323	IBM Engineering Requirements Management DOORS 9.7.2.9 < 9.7.2.10 Multiple Vulnerabilities (7238992)	Nessus	Windows	7/18/2025	7/22/2025	medium
190347	CKEditor 4.x < 4.24.0-lts Multitple XSS	Nessus	CGI abuses : XSS	2/9/2024	2/28/2025	medium
257637	Linux Distros Unpatched Vulnerability : CVE-2024-24816	Nessus	Misc.	8/27/2025	9/2/2025	medium
215049	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 : CKEditor vulnerabilities (USN-7258-1)	Nessus	Ubuntu Local Security Checks	2/6/2025	9/3/2025	medium

Detections

Analytics

Plugins Search

medium

medium

medium

medium

medium