cbcvebase.
CVE-2018-9861
published 2018-04-19

CVE-2018-9861: Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in…

PriorityP427medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.78%
75.5th percentile
Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element.

Affected

12 ranges
VendorProductVersion rangeFixed in
ckeditorckeditor>= 0 < 4.5.7+dfsg-2ubuntu0.18.04.14.5.7+dfsg-2ubuntu0.18.04.1
ckeditorckeditor>= 0 < 4.12.1+dfsg-1ubuntu0.14.12.1+dfsg-1ubuntu0.1
ckeditorckeditor>= 0 < 4.5.7+dfsg-2ubuntu0.16.04.1~esm14.5.7+dfsg-2ubuntu0.16.04.1~esm1
ckeditorenhanced_image>= 4.5.10 < 4.9.24.9.2
drupalcore>= 8.0 < 8.4.78.4.7
drupalcore>= 8.0.0 < 8.4.78.4.7
drupalcore>= 8.5.0 < 8.5.28.5.2
drupaldrupal>= 8.0 < 8.4.78.4.7
drupaldrupal>= 8.0.0 < 8.4.78.4.7
drupaldrupal>= 8.5 < 8.5.28.5.2
drupaldrupal>= 8.5.0 < 8.5.28.5.2
drupaldrupal_core

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.