CVE-2020-9281

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

Published: Mar 7, 2020
Updated: Nov 9, 2025
CVE: CVE-2020-9281
GHSA: GHSA-vcjf-mgcg-jxjq
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
ckeditor / ckeditor	4.0	4.14
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x
drupal / drupal	8.8.0	8.8.4
drupal / drupal	8.7.0	8.7.12
oracle / peoplesoft_enterprise_peopletools	8.56	8.56.x
oracle / webcenter_portal	12.2.1.3.0	12.2.1.3.0.x
oracle / webcenter_portal	11.1.1.9.0	11.1.1.9.0.x
oracle / peoplesoft_enterprise_peopletools	8.57	8.57.x
oracle / agile_plm	9.3.5	9.3.5.x
oracle / agile_plm	9.3.6	9.3.6.x
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
oracle / webcenter_portal	12.2.1.4.0	12.2.1.4.0.x
oracle / application_express	-	20.2
oracle / jd_edwards_enterpriseone_tools	-	9.2.5.2
oracle / siebel_apps_-_customer_order_management	-	21.0
oracle / banking_enterprise_default_management	2.12.0	2.12.0.x
oracle / banking_enterprise_default_management	2.10.0	2.10.0.x
oracle / banking_enterprise_default_managment	2.3.0	2.4.0.x
oracle / banking_enterprise_default_management	2.7.0	2.7.0.x
oracle / banking_enterprise_default_management	2.7.1	2.7.1.x
oracle / banking_enterprise_default_management	2.6.2	2.6.2.x
ckeditor4	-	4.14.0

Vulnerability Database

300,445

CVE-2020-9281

Deep Security Visibility Without the Complexity