CVE-2022-24728 Information
Share on:Description
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Reference
https://ckeditor.com/cke4/release/CKEditor-4.18.0 https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89 https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949 https://www.drupal.org/sa-core-2022-005
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
REQUIRED
Confidentiality Impact
CHANGED
Integrity Impact
LOW
Availability Impact
LOW
Base Score
NONE
Base Severity
5.4