CVE-2022-24728 – ckeditor4

Package

Manager: npm
Name: ckeditor4
Vulnerable Version: >=0 <4.18.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00604 pctl0.6863

Details

Cross-site Scripting in CKEditor4 ### Affected packages The vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. ### Impact A potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.18.0. ### Patches The problem has been recognized and patched. The fix will be available in version 4.18.0. ### For more information Email us at security@cksource.com if you have any questions or comments about this advisory. ### Acknowledgements The CKEditor 4 team would like to thank GHSL team member Kevin Backhouse ([@kevinbackhouse](https://github.com/kevinbackhouse)) for recognizing and reporting this vulnerability.

Metadata

Created: 2022-03-16T22:47:55Z
Modified: 2022-03-30T20:05:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-4fc4-4p5g-6w89/GHSA-4fc4-4p5g-6w89.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-4fc4-4p5g-6w89
Finding: F008
Auto approve: 1