CVE-2020-9281

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

Una vulnerabilidad de tipo cross-site scripting (XSS) en el HTML Data Processor for CKEditor versiones 4.0 anteriores a 4.14, permite a atacantes remotos inyectar script web arbitrario por medio de un comentario "protected" diseñado (con la sintaxis cke_protected).

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-02-19 CVE Reserved
2020-03-07 CVE Published
2024-07-01 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (9)

URL	Tag	Source
https://github.com/ckeditor/ckeditor4	Product
https://www.oracle.com/security-alerts/cpuoct2021.html	Not Applicable

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuApr2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2020.html	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ckeditor Search vendor "Ckeditor"		Ckeditor Search vendor "Ckeditor" for product "Ckeditor"				>= 4.0 < 4.14 Search vendor "Ckeditor" for product "Ckeditor" and version " >= 4.0 < 4.14"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				30 Search vendor "Fedoraproject" for product "Fedora" and version "30"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Drupal Search vendor "Drupal"		Drupal Search vendor "Drupal" for product "Drupal"				>= 8.7.0 < 8.7.12 Search vendor "Drupal" for product "Drupal" and version " >= 8.7.0 < 8.7.12"		-		Affected
Drupal Search vendor "Drupal"		Drupal Search vendor "Drupal" for product "Drupal"				>= 8.8.0 < 8.8.4 Search vendor "Drupal" for product "Drupal" and version " >= 8.8.0 < 8.8.4"		-		Affected
Oracle Search vendor "Oracle"		Agile Plm Search vendor "Oracle" for product "Agile Plm"				9.3.5 Search vendor "Oracle" for product "Agile Plm" and version "9.3.5"		-		Affected
Oracle Search vendor "Oracle"		Agile Plm Search vendor "Oracle" for product "Agile Plm"				9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6"		-		Affected
Oracle Search vendor "Oracle"		Application Express Search vendor "Oracle" for product "Application Express"				< 20.2 Search vendor "Oracle" for product "Application Express" and version " < 20.2"		-		Affected
Oracle Search vendor "Oracle"		Jd Edwards Enterpriseone Tools Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools"				< 9.2.5.2 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " < 9.2.5.2"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				-		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.56 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.56"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.57 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"		-		Affected
Oracle Search vendor "Oracle"		Siebel Apps - Customer Order Management Search vendor "Oracle" for product "Siebel Apps - Customer Order Management"				< 21.0 Search vendor "Oracle" for product "Siebel Apps - Customer Order Management" and version " < 21.0"		-		Affected
Oracle Search vendor "Oracle"		Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal"				11.1.1.9.0 Search vendor "Oracle" for product "Webcenter Portal" and version "11.1.1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal"				12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal"				12.2.1.4.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Default Management Search vendor "Oracle" for product "Banking Enterprise Default Management"				2.6.2 Search vendor "Oracle" for product "Banking Enterprise Default Management" and version "2.6.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Default Management Search vendor "Oracle" for product "Banking Enterprise Default Management"				2.7.0 Search vendor "Oracle" for product "Banking Enterprise Default Management" and version "2.7.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Default Management Search vendor "Oracle" for product "Banking Enterprise Default Management"				2.7.1 Search vendor "Oracle" for product "Banking Enterprise Default Management" and version "2.7.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Default Management Search vendor "Oracle" for product "Banking Enterprise Default Management"				2.10.0 Search vendor "Oracle" for product "Banking Enterprise Default Management" and version "2.10.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Default Management Search vendor "Oracle" for product "Banking Enterprise Default Management"				2.12.0 Search vendor "Oracle" for product "Banking Enterprise Default Management" and version "2.12.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Default Managment Search vendor "Oracle" for product "Banking Enterprise Default Managment"				>= 2.3.0 <= 2.4.0 Search vendor "Oracle" for product "Banking Enterprise Default Managment" and version " >= 2.3.0 <= 2.4.0"		-		Affected