CVE-2020-9281

CWE-79 — Cross-site Scripting (XSS)17 documents8 sources

Severity

6.1MEDIUM

EPSS

1.2%

top 21.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ckeditor Ckeditor Drupal Drupal Oracle Application Express +8 more

Timeline

PublishedMar 7

Latest updateNov 2

Description

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages12 packages

▶npmckeditor4< 4.14.0

▶NVDckeditor/ckeditor4.0 — 4.14

▶Ubuntuckeditor< 4.5.7+dfsg-2ubuntu0.18.04.1+2

▶NVDdrupal/drupal8.7.0 — 8.7.12+1

▶NVDoracle/application_express< 20.2

Also affects: Fedora 30, 31, 32

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

ckeditor vulnerabilities↗2022-03-23

▶

OSV

ckeditor vulnerabilities↗2022-03-22

▶

GHSA

CKEditor 4.0 vulnerability in the HTML Data Processor↗2021-05-07

▶

OSV

CKEditor 4.0 vulnerability in the HTML Data Processor↗2021-05-07

▶

CVEList

CVE-2020-9281: A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4↗2020-03-07

▶

📋Vendor Advisories

Fortinet

An improper neutralization of input during web page generation vulnerability [CWE-79] exists in FortiManager and FortiAn...↗2022-11-02

▶

Ubuntu

CKEditor vulnerabilities↗2022-03-23

▶

Ubuntu

CKEditor vulnerabilities↗2022-03-22

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Collections (CKEditor) — CVE-2020-9281↗2022-01-15

▶

Oracle

Oracle Oracle JD Edwards Risk Matrix: Web Runtime (CKEditor) — CVE-2020-9281↗2021-04-15

▶

💬Community

Bugzilla

CVE-2020-9281 ckeditor: XSS in the HTML Data Processor allows remote attackers to inject arbitrary web script through a crafted "protected" comment [fedora-all]↗2020-03-18

▶

Bugzilla

CVE-2020-9281 ckeditor: XSS in the HTML Data Processor allows remote attackers to inject arbitrary web script through a crafted "protected" comment↗2020-03-18

▶

Bugzilla

CVE-2020-9281 ckeditor: XSS in the HTML Data Processor allows remote attackers to inject arbitrary web script through a crafted "protected" comment [epel-all]↗2020-03-18

▶