CVE-2022-24728
Last modified
CVE-2022-24728 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. EPSS estimates a 1.16% chance of exploitation in the next 30 days.
Description
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Ckeditor | Ckeditor | >= 4.0, < 4.18.0 |
| Drupal | Drupal | >= 8.0.0, < 9.2.15 |
| Drupal | Drupal | >= 9.3.0, < 9.3.8 |
| Oracle | Application Express | < 22.1.1 |
| Oracle | Commerce Merchandising | 11.3.2 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.7.0.0, <= 8.1.0.0.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.1.1.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.1.2.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | 8.1.2.1 |
| Oracle | Financial Services Behavior Detection Platform | >= 8.1.1.0, <= 8.1.2.1 |
| Oracle | Financial Services Behavior Detection Platform | 8.0.7.0 |
| Oracle | Financial Services Behavior Detection Platform | 8.0.8.0 |
| Oracle | Financial Services Trade-Based Anti Money Laundering | 8.0.7 |
| Oracle | Financial Services Trade-Based Anti Money Laundering | 8.0.8 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Fedoraproject | Fedora | 36 |
| Fedoraproject | Fedora | 37 |
References
- https://ckeditor.com/cke4/release/CKEditor-4.18.0Release Notes, Vendor Advisory
- https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949Patch, Third Party Advisory
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89Third Party Advisory
- https://www.drupal.org/sa-core-2022-005Patch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://ckeditor.com/cke4/release/CKEditor-4.18.0Release Notes, Vendor Advisory
- https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949Patch, Third Party Advisory
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89Third Party Advisory
- https://www.drupal.org/sa-core-2022-005Patch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-24728?
How severe is CVE-2022-24728?
How do I fix CVE-2022-24728?
Are you affected by CVE-2022-24728?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST