Fluid Attacks Database

Description

Cross-site Scripting in CKEditor4

Affected packages

The vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4.

Impact

A potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.18.0.

Patches

The problem has been recognized and patched. The fix will be available in version 4.18.0.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 4 team would like to thank GHSL team member Kevin Backhouse (@kevinbackhouse) for recognizing and reporting this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	ckeditor4	>=0 <4.18.0	4.18.0
debian 11	ckeditor3	=3.6.6.1+dfsg-7	-
debian 12	ckeditor3	=3.6.6.1+dfsg-7	-
npm	ckeditor	>=4.0 <4.18.0	-
debian 12	ckeditor	>=0 <4.19.0+dfsg-1	4.19.0+dfsg-1
debian 11	ckeditor	=4.16.0+dfsg-2 \|\| =4.16.2+dfsg-1 \|\| =4.19.0+dfsg-1 \|\| =4.19.1+dfsg-1 \|\| =4.22.1+dfsg-1 \|\| =4.22.1+dfsg1-2	-
packagist	drupal/core	=8.0.0 \|\| =8.0.1 \|\| =8.0.2 \|\| =8.0.3 \|\| =8.0.4 \|\| =8.0.5 \|\| =8.0.6 \|\| =8.1.0 \|\| =8.1.0-beta1 \|\| =8.1.0-beta2 \|\| =8.1.0-rc1 \|\| =8.1.1 \|\| =8.1.10 \|\| =8.1.2 \|\| =8.1.3 \|\| =8.1.4 \|\| =8.1.5 \|\| =8.1.6 \|\| =8.1.7 \|\| =8.1.8 \|\| =8.1.9 \|\| =8.2.0 \|\| =8.2.0-beta1 \|\| =8.2.0-beta2 \|\| =8.2.0-beta3 \|\| =8.2.0-rc1 \|\| =8.2.0-rc2 \|\| =8.2.1 \|\| =8.2.2 \|\| =8.2.3 \|\| =8.2.4 \|\| =8.2.5 \|\| =8.2.6 \|\| =8.2.7 \|\| =8.2.8 \|\| =8.3.0 \|\| =8.3.0-alpha1 \|\| =8.3.0-beta1 \|\| =8.3.0-rc1 \|\| =8.3.0-rc2 \|\| =8.3.1 \|\| =8.3.2 \|\| =8.3.3 \|\| =8.3.4 \|\| =8.3.5 \|\| =8.3.6 \|\| =8.3.7 \|\| =8.3.8 \|\| =8.3.9 \|\| =8.4.0 \|\| =8.4.0-alpha1 \|\| =8.4.0-beta1 \|\| =8.4.0-rc1 \|\| =8.4.0-rc2 \|\| =8.4.1 \|\| =8.4.2 \|\| =8.4.3 \|\| =8.4.4 \|\| =8.4.5 \|\| =8.4.6 \|\| =8.4.7 \|\| =8.4.8 \|\| =8.5.0 \|\| =8.5.0-alpha1 \|\| =8.5.0-beta1 \|\| =8.5.0-rc1 \|\| =8.5.1 \|\| =8.5.10 \|\| =8.5.11 \|\| =8.5.12 \|\| =8.5.13 \|\| =8.5.14 \|\| =8.5.15 \|\| =8.5.2 \|\| =8.5.3 \|\| =8.5.4 \|\| =8.5.5 \|\| =8.5.6 \|\| =8.5.7 \|\| =8.5.8 \|\| =8.5.9 \|\| =8.6.0 \|\| =8.6.0-alpha1 \|\| =8.6.0-beta1 \|\| =8.6.0-beta2 \|\| =8.6.0-rc1 \|\| =8.6.1 \|\| =8.6.10 \|\| =8.6.11 \|\| =8.6.12 \|\| =8.6.13 \|\| =8.6.14 \|\| =8.6.15 \|\| =8.6.16 \|\| =8.6.17 \|\| =8.6.18 \|\| =8.6.2 \|\| =8.6.3 \|\| =8.6.4 \|\| =8.6.5 \|\| =8.6.6 \|\| =8.6.7 \|\| =8.6.8 \|\| =8.6.9 \|\| =8.7.0 \|\| =8.7.0-alpha1 \|\| =8.7.0-alpha2 \|\| =8.7.0-beta1 \|\| =8.7.0-beta2 \|\| =8.7.0-rc1 \|\| =8.7.1 \|\| =8.7.10 \|\| =8.7.11 \|\| =8.7.12 \|\| =8.7.13 \|\| =8.7.14 \|\| =8.7.2 \|\| =8.7.3 \|\| =8.7.4 \|\| =8.7.5 \|\| =8.7.6 \|\| =8.7.7 \|\| =8.7.8 \|\| =8.7.9 \|\| =8.8.0 \|\| =8.8.0-alpha1 \|\| =8.8.0-beta1 \|\| =8.8.0-rc1 \|\| =8.8.1 \|\| =8.8.10 \|\| =8.8.11 \|\| =8.8.12 \|\| =8.8.2 \|\| =8.8.3 \|\| =8.8.4 \|\| =8.8.5 \|\| =8.8.6 \|\| =8.8.7 \|\| =8.8.8 \|\| =8.8.9 \|\| =8.9.0 \|\| =8.9.0-beta1 \|\| =8.9.0-beta2 \|\| =8.9.0-beta3 \|\| =8.9.0-rc1 \|\| =8.9.1 \|\| =8.9.10 \|\| =8.9.11 \|\| =8.9.12 \|\| =8.9.13 \|\| =8.9.14 \|\| =8.9.15 \|\| =8.9.16 \|\| =8.9.17 \|\| =8.9.18 \|\| =8.9.19 \|\| =8.9.2 \|\| =8.9.20 \|\| =8.9.3 \|\| =8.9.4 \|\| =8.9.5 \|\| =8.9.6 \|\| =8.9.7 \|\| =8.9.8 \|\| =8.9.9 \|\| =9.0.0 \|\| =9.0.0-alpha1 \|\| =9.0.0-alpha2 \|\| =9.0.0-beta1 \|\| =9.0.0-beta2 \|\| =9.0.0-beta3 \|\| =9.0.0-rc1 \|\| =9.0.1 \|\| =9.0.10 \|\| =9.0.11 \|\| =9.0.12 \|\| =9.0.13 \|\| =9.0.14 \|\| =9.0.2 \|\| =9.0.3 \|\| =9.0.4 \|\| =9.0.5 \|\| =9.0.6 \|\| =9.0.7 \|\| =9.0.8 \|\| =9.0.9 \|\| =9.1.0 \|\| =9.1.0-alpha1 \|\| =9.1.0-beta1 \|\| =9.1.0-rc1 \|\| =9.1.0-rc2 \|\| =9.1.0-rc3 \|\| =9.1.1 \|\| =9.1.10 \|\| =9.1.11 \|\| =9.1.12 \|\| =9.1.13 \|\| =9.1.14 \|\| =9.1.15 \|\| =9.1.2 \|\| =9.1.3 \|\| =9.1.4 \|\| =9.1.5 \|\| =9.1.6 \|\| =9.1.7 \|\| =9.1.8 \|\| =9.1.9 \|\| =9.2.0 \|\| =9.2.0-alpha1 \|\| =9.2.0-beta1 \|\| =9.2.0-beta2 \|\| =9.2.0-beta3 \|\| =9.2.0-rc1 \|\| =9.2.1 \|\| =9.2.10 \|\| =9.2.11 \|\| =9.2.12 \|\| =9.2.13 \|\| =9.2.14 \|\| =9.2.2 \|\| =9.2.3 \|\| =9.2.4 \|\| =9.2.5 \|\| =9.2.6 \|\| =9.2.7 \|\| =9.2.8 \|\| =9.2.9 \|\| =9.3.0 \|\| =9.3.1 \|\| =9.3.2 \|\| =9.3.3 \|\| =9.3.4 \|\| =9.3.5 \|\| =9.3.6 \|\| =9.3.7 \|\| >=8.0.0 <9.2.15 \|\| >=9.3.0 <9.3.8	9.2.15, 9.3.8

Aliases

1. CVE-2022-247282. NVD-2022-247283. OSV-2022-247284. OSV-DEBIAN-2022-247285. OSV-DRUPAL-CORE-2022-0056. GHSA-4fc4-4p5g-6w897. https://securitylab.github.com/advisories/GHSL-2022-009_ckeditor48. GCVE-2022-247289. SECURITY-TRACKER-CVE-2022-2472810. GHSA-4fc4-4p5g-6w89

References

1. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w892. https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc9493. https://ckeditor.com/cke4/release/CKEditor-4.18.04. https://lists.fedoraproject.org/archives/list/[email protected]/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW65. https://lists.fedoraproject.org/archives/list/[email protected]/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP6. https://www.drupal.org/sa-core-2022-0057. https://www.oracle.com/security-alerts/cpujul2022.html