CVE-2022-24728

EPSS 0.72%
Published 16.03.2022 16:15:10
Last modified 21.11.2024 06:50:57
Source security-advisories@github.com
Teams watchlist Login
Open Login

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

Affected products Warnungen 0 Metrics 4 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Ckeditor ≫ Ckeditor Version >= 4.0 < 4.18.0

Drupal ≫ Drupal Version >= 8.0.0 < 9.2.15

Drupal ≫ Drupal Version >= 9.3.0 < 9.3.8

Oracle ≫ Application Express Version < 22.1.1

Oracle ≫ Commerce Merchandising Version11.3.2

Oracle ≫ Financial Services Analytical Applications Infrastructure Version >= 8.0.7.0.0 <= 8.1.0.0.0

Oracle ≫ Financial Services Analytical Applications Infrastructure Version8.1.1.0

Oracle ≫ Financial Services Analytical Applications Infrastructure Version8.1.2.0

Oracle ≫ Financial Services Analytical Applications Infrastructure Version8.1.2.1

Oracle ≫ Financial Services Behavior Detection Platform Version >= 8.1.1.0 <= 8.1.2.1

Oracle ≫ Financial Services Behavior Detection Platform Version8.0.7.0

Oracle ≫ Financial Services Behavior Detection Platform Version8.0.8.0

Oracle ≫ Financial Services Trade-based Anti Money Laundering Version8.0.7 SwEditionenterprise

Oracle ≫ Financial Services Trade-based Anti Money Laundering Version8.0.8 SwEditionenterprise

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.58

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.59

Fedoraproject ≫ Fedora Version36

Fedoraproject ≫ Fedora Version37

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.72%	0.716

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
security-advisories@github.com	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.oracle.com/security-alerts/cpujul2022.html

Patch

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/

https://ckeditor.com/cke4/release/CKEditor-4.18.0

Vendor Advisory

Release Notes

https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949

Patch

Third Party Advisory

https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89