Oracle Commerce Merchandising
By the Year
In 2024 there have been 0 vulnerabilities in Oracle Commerce Merchandising . Commerce Merchandising did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 2 | 6.45 |
| 2021 | 4 | 5.68 |
| 2020 | 2 | 6.10 |
| 2019 | 1 | 6.50 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Commerce Merchandising vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Oracle Commerce Merchandising Security Vulnerabilities
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor
CVE-2022-24729
7.5 - High
- March 16, 2022
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.
ReDoS
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor
CVE-2022-24728
5.4 - Medium
- March 16, 2022
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
XSS
ckeditor is an open source WYSIWYG HTML editor with rich content support
CVE-2021-37695
5.4 - Medium
- August 13, 2021
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
XSS
ckeditor is an open source WYSIWYG HTML editor with rich content support
CVE-2021-32808
5.4 - Medium
- August 12, 2021
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.
XSS
ckeditor is an open source WYSIWYG HTML editor with rich content support
CVE-2021-32809
5.4 - Medium
- August 12, 2021
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
XSS
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor
CVE-2021-26272
6.5 - Medium
- January 26, 2021
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
Inclusion of Functionality from Untrusted Control Sphere
A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0
CVE-2020-27193
6.1 - Medium
- November 12, 2020
A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.
XSS
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14
CVE-2020-9281
6.1 - Medium
- March 07, 2020
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
XSS
Vulnerability in the Oracle Commerce Merchandising component of Oracle Commerce (subcomponent: Asset Manager)
CVE-2019-2713
6.5 - Medium
- April 23, 2019
Vulnerability in the Oracle Commerce Merchandising component of Oracle Commerce (subcomponent: Asset Manager). The supported version that is affected is 11.2.0.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Merchandising. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Commerce Merchandising accessible data as well as unauthorized read access to a subset of Oracle Commerce Merchandising accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Oracle Commerce Merchandising or by Oracle? Click the Watch button to subscribe.
