← back
CVE-2022-24728

Cross-site Scripting in CKEditor4

CVSS 5.4 MEDIUMEPSS 1.2%CWE-79
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.4EPSS 1.2%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
16 Mar 2022Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected products
ckeditor · ckeditor4

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://ckeditor.com/cke4/release/CKEditor-4.18.0https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/https://www.drupal.org/sa-core-2022-005https://www.oracle.com/security-alerts/cpujul2022.html