Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00ZmM0LTRwNWctNnc4Oc0zNg

Cross-site Scripting in CKEditor4

Affected packages

The vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4.

Impact

A potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.18.0.

Patches

The problem has been recognized and patched. The fix will be available in version 4.18.0.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 4 team would like to thank GHSL team member Kevin Backhouse (@kevinbackhouse) for recognizing and reporting this vulnerability.

Permalink: https://github.com/advisories/GHSA-4fc4-4p5g-6w89
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00ZmM0LTRwNWctNnc4Oc0zNg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: almost 2 years ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00179
EPSS Percentile: 0.55502

Identifiers: GHSA-4fc4-4p5g-6w89, CVE-2022-24728
References:

Repository: https://github.com/ckeditor/ckeditor4
Blast Radius: 14.8

Affected Packages

npm:ckeditor4

Dependent packages: 26
Dependent repositories: 546
Downloads: 134,680 last month
Affected Version Ranges: < 4.18.0
Fixed in: 4.18.0
All affected versions: 4.13.0, 4.13.1, 4.14.0, 4.14.1, 4.15.0, 4.15.1, 4.16.0, 4.16.1, 4.16.2, 4.17.0, 4.17.1, 4.17.2
All unaffected versions: 4.18.0, 4.19.0, 4.19.1, 4.20.0, 4.20.1, 4.20.2, 4.21.0, 4.22.0, 4.22.1, 4.23.0, 4.24.0, 4.25.0