Fluid Attacks Database

Description

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the dialog plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	ckeditor	=4.16.0+dfsg-2 \|\| =4.16.2+dfsg-1 \|\| =4.19.0+dfsg-1 \|\| =4.19.1+dfsg-1 \|\| =4.22.1+dfsg-1 \|\| =4.22.1+dfsg1-2	-
debian 12	ckeditor	>=0 <4.19.0+dfsg-1	4.19.0+dfsg-1
npm	ckeditor	>=4.0 <4.18.0	4.18.0
npm	ckeditor4	>=4.0 <4.18.0	4.18.0

Aliases

1. CVE-2022-247292. NVD-2022-247293. OSV-DEBIAN-2022-247294. OSV-2022-247295. GCVE-2022-247296. SECURITY-TRACKER-CVE-2022-247297. GHSA-f6rf-9m92-x2hh

References

1. https://ckeditor.com/cke4/release/CKEditor-4.18.02. https://www.drupal.org/sa-core-2022-005

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.