CVE-2018-9861
Summary
| CVE | CVE-2018-9861 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2018-04-19 17:29:00 UTC |
|---|
| Updated | 2019-07-18 13:15:00 UTC |
|---|
| Description | Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003 | Drupal.org |
CONFIRM |
www.drupal.org |
Third Party Advisory |
| CKEditor CVE-2018-9861 Cross Site Scripting Vulnerability |
BID |
www.securityfocus.com |
|
| Oracle Critical Patch Update - July 2019 |
MISC |
www.oracle.com |
|
| ckeditor-dev/CHANGES.md at master · ckeditor/ckeditor-dev · GitHub |
CONFIRM |
github.com |
Release Notes |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 198710 Ubuntu Security Notification for CKEditor Vulnerabilities (USN-5340-1)
- 995646 NodeJs (Npm) Security Update for ckeditor-dev (GHSA-g78h-pf65-46rv)
- 995689 PHP (Composer) Security Update for drupal/core (GHSA-g78h-pf65-46rv)
