CVE-2022-24728

Summary

CVE	CVE-2022-24728
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-03-16 16:15:00 UTC
Updated	2023-11-07 03:44:00 UTC
Description	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

Risk And Classification

Problem Types: CWE-79

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Ckeditor	Ckeditor	All	All	All	All
Application	Drupal	Drupal	All	All	All	All
Operating System	Fedoraproject	Fedora	36	All	All	All
Operating System	Fedoraproject	Fedora	37	All	All	All
Application	Oracle	Application Express	All	All	All	All
Application	Oracle	Commerce Merchandising	11.3.2	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	8.1.1.0	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	8.1.2.0	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	8.1.2.1	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	All	All	All	All
Application	Oracle	Financial Services Behavior Detection Platform	8.0.7.0	All	All	All
Application	Oracle	Financial Services Behavior Detection Platform	8.0.8.0	All	All	All
Application	Oracle	Financial Services Behavior Detection Platform	All	All	All	All
Application	Oracle	Financial Services Trade-based Anti Money Laundering	8.0.7	All	All	All
Application	Oracle	Financial Services Trade-based Anti Money Laundering	8.0.8	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All

References

Reference	Source	Link	Tags
HTML processing vulnerability allowing to execute JavaScript code · Advisory · ckeditor/ckeditor4 · GitHub	CONFIRM	github.com
[SECURITY] Fedora 36 Update: ckeditor-4.20.0-1.fc36 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Code refactoring. · ckeditor/ckeditor4@d158413 · GitHub	MISC	github.com
CKEditor 4.18.0 \| CKEditor.com	MISC	ckeditor.com
[SECURITY] Fedora 36 Update: ckeditor-4.20.0-1.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Access to this page has been denied.	CONFIRM	www.drupal.org
[SECURITY] Fedora 37 Update: ckeditor-4.20.0-1.fc37 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
[SECURITY] Fedora 37 Update: ckeditor-4.20.0-1.fc37 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

154126 Drupal Core: CKEditor Library Multiple Vulnerabilities (CVE-2022-24728,CVE-2022-24729)
184714 Debian Security Update for ckeditor (CVE-2022-24728)
283229 Fedora Security Update for ckeditor (FEDORA-2022-b61dfd219b)
283475 Fedora Security Update for ckeditor (FEDORA-2022-4c634ee466)
730408 Drupal Core CKEDITOR library Cross-Site Scripting (XSS) Vulnerability (SA-CORE-2022-005)