Login Sign Up

CVE-2024-29504

7.6 HIGH
Cross-Site Scripting

📋 TL;DR

This CVE describes a Cross-Site Scripting (XSS) vulnerability in Summernote versions 0.8.18 and earlier. An attacker can inject malicious JavaScript via the codeview parameter, potentially compromising user sessions or stealing sensitive data. Any application using vulnerable Summernote versions is affected.

💻 Affected Systems

Products:
  • Summernote
Versions: v0.8.18 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any web application using Summernote with the vulnerable version, regardless of OS.

📦 What is this software?

Summernote by Summernote

View all CVEs affecting Summernote →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, session hijacking, credential theft, and unauthorized actions performed on behalf of authenticated users.

🟠

Likely Case

Session hijacking, credential theft, defacement of web pages, and client-side data exfiltration.

🟢

If Mitigated

Limited impact with proper Content Security Policy (CSP) headers and input validation, though XSS could still execute in some contexts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (e.g., clicking a malicious link) but is straightforward with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.8.19 or later

Vendor Advisory: https://github.com/summernote/summernote/pull/3782

Restart Required: No

Instructions:

1. Update Summernote to version 0.8.19 or later via package manager (e.g., npm update summernote). 2. Verify the update in your application's dependencies. 3. Test functionality to ensure compatibility.

🔧 Temporary Workarounds

Input Sanitization

all

Implement server-side input validation and sanitization for the codeview parameter to strip or escape malicious scripts.

Content Security Policy (CSP)

all

Deploy a strict CSP header to mitigate XSS impact by restricting script execution sources.

🧯 If You Can't Patch

  • Disable or restrict access to the codeview feature in Summernote configuration.
  • Implement a Web Application Firewall (WAF) with XSS protection rules.

🔍 How to Verify

Check if Vulnerable:

Check the Summernote version in your project's package.json or dependency files; if version is 0.8.18 or earlier, it is vulnerable.

Check Version:

npm list summernote

Verify Fix Applied:

After updating, confirm the Summernote version is 0.8.19 or later and test the codeview parameter with a safe payload to ensure no script execution.

📡 Detection & Monitoring

Log Indicators:

  • Unusual or malicious script patterns in HTTP request logs targeting the codeview parameter.

Network Indicators:

  • HTTP requests with suspicious JavaScript payloads in the codeview parameter.

SIEM Query:

source="web_logs" AND (url="*codeview*" AND (content="<script>" OR content="javascript:"))

📊 Metadata

CVE ID: CVE-2024-29504
CVSS v3 Score: 7.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
CWE: CWE-79
Published: April 10, 2024
Last Updated: June 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29504, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)