ckeditor ckeditor CVE-2022-24728 vulnerability in Ckeditor and Other Products
Published on March 16, 2022

Cross-site Scripting in CKEditor4

product logo product logo product logo product logo product logo
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2022-24728 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2022-24728 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2022-24728

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-24728 are published in these products:

Ckeditor
 
Drupal
 
Oracle Peoplesoft Enterprise Peopletools
 
Oracle Commerce Merchandising
 
Oracle Financial Services Trade Based Anti Money Laundering
 
Fedora Project Fedora
 
Oracle Financial Services Analytical Applications Infrastructure
 
Oracle Application Express
 
Oracle Financial Services Behavior Detection Platform
 
Canonical Ubuntu Linux
 

Affected Versions

ckeditor4 Version < 4.18.0 is affected by CVE-2022-24728

Exploit Probability

EPSS
0.75%
Percentile
72.89%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.