CVE-2022-24728Cross-site Scripting in Ckeditor4

CWE-79Cross-site Scripting10 documents7 sources
Severity
5.4MEDIUMNVD
EPSS
1.1%
top 22.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
Ckeditor Ckeditor4CkeditorDrupal+8 more
Timeline
PublishedMar 16
Latest updateFeb 6

Description

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages13 packages

CVEListV5ckeditor/ckeditor4< 4.18.0
npmckeditor/ckeditor4< 4.18.0
NVDckeditor/ckeditor4.04.18.0
Debianckeditor/ckeditor< 4.19.0+dfsg-1
Ubuntuckeditor/ckeditor< 4.5.7+dfsg-2ubuntu0.16.04.1~esm2+4

Also affects: Fedora 36, 37

Patches

Patch: github.comPatch: www.drupal.orgPatch: www.oracle.com

🔴Vulnerability Details

6
OSV
ckeditor vulnerabilities2025-02-06
CVEList
Cross-site Scripting in CKEditor42022-03-16
GHSA
Cross-site Scripting in CKEditor42022-03-16
OSV
CVE-2022-24728: The Drupal project uses the [CKEditor](https://github2022-03-16
OSV
Cross-site Scripting in CKEditor42022-03-16

📋Vendor Advisories

3
Ubuntu
CKEditor vulnerabilities2025-02-06
Drupal
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-0052022-03-16
Debian
CVE-2022-24728: ckeditor - CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerab...2022