CVE-2022-24728

Cross-site Scripting in CKEditor4

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

CKEditor4 es un editor HTML de código abierto "lo que visualizas es lo que obtienes". Se ha detectado una vulnerabilidad en el módulo central de procesamiento de HTML y puede afectar a todos los plugins usados por CKEditor 4 versiones anteriores a 4.18.0. La vulnerabilidad permite que alguien inyecte HTML malformado omitiendo el saneo del contenido, lo que podría resultar en una ejecución de código JavaScript. Este problema ha sido parcheado en versión 4.18.0. Actualmente no se presentan medidas de mitigación conocidas

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-03-16 CVE Published
2023-11-08 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (7)

URL	Tag	Source
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949	2023-11-07
https://www.drupal.org/sa-core-2022-005	2023-11-07
https://www.oracle.com/security-alerts/cpujul2022.html	2023-11-07

URL	Date	SRC
https://ckeditor.com/cke4/release/CKEditor-4.18.0	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ckeditor Search vendor "Ckeditor"		Ckeditor Search vendor "Ckeditor" for product "Ckeditor"				>= 4.0 < 4.18.0 Search vendor "Ckeditor" for product "Ckeditor" and version " >= 4.0 < 4.18.0"		-		Affected
Drupal Search vendor "Drupal"		Drupal Search vendor "Drupal" for product "Drupal"				>= 8.0.0 < 9.2.15 Search vendor "Drupal" for product "Drupal" and version " >= 8.0.0 < 9.2.15"		-		Affected
Drupal Search vendor "Drupal"		Drupal Search vendor "Drupal" for product "Drupal"				>= 9.3.0 < 9.3.8 Search vendor "Drupal" for product "Drupal" and version " >= 9.3.0 < 9.3.8"		-		Affected
Oracle Search vendor "Oracle"		Application Express Search vendor "Oracle" for product "Application Express"				< 22.1.1 Search vendor "Oracle" for product "Application Express" and version " < 22.1.1"		-		Affected
Oracle Search vendor "Oracle"		Commerce Merchandising Search vendor "Oracle" for product "Commerce Merchandising"				11.3.2 Search vendor "Oracle" for product "Commerce Merchandising" and version "11.3.2"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				>= 8.0.7.0.0 <= 8.1.0.0.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.0.7.0.0 <= 8.1.0.0.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.1.1.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.1.1.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.1.2.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.1.2.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.1.2.1 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.1.2.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"				>= 8.1.1.0 <= 8.1.2.1 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version " >= 8.1.1.0 <= 8.1.2.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"				8.0.7.0 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.0.7.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"				8.0.8.0 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.0.8.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Trade-based Anti Money Laundering Search vendor "Oracle" for product "Financial Services Trade-based Anti Money Laundering"				8.0.7 Search vendor "Oracle" for product "Financial Services Trade-based Anti Money Laundering" and version "8.0.7"		enterprise		Affected
Oracle Search vendor "Oracle"		Financial Services Trade-based Anti Money Laundering Search vendor "Oracle" for product "Financial Services Trade-based Anti Money Laundering"				8.0.8 Search vendor "Oracle" for product "Financial Services Trade-based Anti Money Laundering" and version "8.0.8"		enterprise		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.59 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected