CVE-2022-24728

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

Published: Mar 16, 2022
Updated: Nov 8, 2023
CVE: CVE-2022-24728
GHSA: GHSA-4fc4-4p5g-6w89
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
ckeditor / ckeditor	4.0	4.18.0
drupal / drupal	9.3.0	9.3.8
drupal / drupal	8.0.0	9.2.15
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
oracle / peoplesoft_enterprise_peopletools	8.59	8.59.x
oracle / commerce_merchandising	11.3.2	11.3.2.x
oracle / financial_services_trade-based_anti_money_laundering	8.0.7	8.0.7.x
oracle / financial_services_trade-based_anti_money_laundering	8.0.8	8.0.8.x
fedoraproject / fedora	36	36.x
oracle / financial_services_analytical_applications_infrastructure	8.1.2.0	8.1.2.0.x
oracle / financial_services_analytical_applications_infrastructure	8.1.1.0	8.1.1.0.x
oracle / application_express	-	22.1.1
oracle / financial_services_analytical_applications_infrastructure	8.1.2.1	8.1.2.1.x
oracle / financial_services_behavior_detection_platform	8.1.1.0	8.1.2.1.x
oracle / financial_services_analytical_applications_infrastructure	8.0.7.0.0	8.1.0.0.0.x
oracle / financial_services_behavior_detection_platform	8.0.8.0	8.0.8.0.x
oracle / financial_services_behavior_detection_platform	8.0.7.0	8.0.7.0.x
fedoraproject / fedora	37	37.x
ckeditor4	-	4.18.0

Vulnerability Database

289,599

CVE-2022-24728