CVE-2022-24728

medium

Description

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

References

https://www.oracle.com/security-alerts/cpujul2022.html

https://www.drupal.org/sa-core-2022-005

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/

https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89

https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949

https://ckeditor.com/cke4/release/CKEditor-4.18.0

Details

Source: Mitre, NVD

Published: 2022-03-16

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Severity: Medium