Ckeditor Ckeditor

Do you want an email whenever new security vulnerabilities are reported in Ckeditor?

By the Year

In 2022 there have been 2 vulnerabilities in Ckeditor with an average score of 6.5 out of ten. Last year Ckeditor had 8 security vulnerabilities published. Right now, Ckeditor is on track to have less security vulnerabilities in 2022 than it did last year. However, the average CVE base score of the vulnerabilities in 2022 is greater by 0.69.

Year Vulnerabilities Average Score
2022 2 6.45
2021 8 5.76
2020 3 6.10
2019 0 0.00
2018 1 6.10

It may take a day or so for new Ckeditor vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Ckeditor Security Vulnerabilities

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor

CVE-2022-24729 7.5 - High - March 16, 2022

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor

CVE-2022-24728 5.4 - Medium - March 16, 2022

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

XSS

CKEditor4 is an open source WYSIWYG HTML editor

CVE-2021-41165 5.4 - Medium - November 17, 2021

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

XSS

CKEditor4 is an open source WYSIWYG HTML editor

CVE-2021-41164 5.4 - Medium - November 17, 2021

CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

XSS

ckeditor is an open source WYSIWYG HTML editor with rich content support

CVE-2021-37695 5.4 - Medium - August 13, 2021

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

XSS

ckeditor is an open source WYSIWYG HTML editor with rich content support

CVE-2021-32809 5.4 - Medium - August 12, 2021

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

XSS

ckeditor is an open source WYSIWYG HTML editor with rich content support

CVE-2021-32808 5.4 - Medium - August 12, 2021

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.

XSS

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1

CVE-2021-33829 6.1 - Medium - June 09, 2021

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.

XSS

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).

CVE-2021-26271 6.5 - Medium - January 26, 2021

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).

Inclusion of Functionality from Untrusted Control Sphere

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor

CVE-2021-26272 6.5 - Medium - January 26, 2021

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).

Inclusion of Functionality from Untrusted Control Sphere

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0

CVE-2020-27193 6.1 - Medium - November 12, 2020

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.

XSS

A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4

CVE-2020-9440 6.1 - Medium - March 10, 2020

A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.

XSS

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14

CVE-2020-9281 6.1 - Medium - March 07, 2020

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

XSS

CKEditor 4.x before 4.11.0

CVE-2018-17960 6.1 - Medium - November 14, 2018

CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Ckeditor or by Ckeditor? Click the Watch button to subscribe.

Ckeditor
Vendor

Ckeditor
Product

subscribe