Vulnerability Description
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ckeditor | Ckeditor | >= 4.0, < 4.14 |
| Fedoraproject | Fedora | 30 |
| Drupal | Drupal | >= 8.7.0, < 8.7.12 |
| Oracle | Agile Plm | 9.3.5 |
| Oracle | Application Express | < 20.2 |
| Oracle | Jd Edwards Enterpriseone Tools | < 9.2.5.2 |
| Oracle | Peoplesoft Enterprise Peopletools | - |
| Oracle | Siebel Apps - Customer Order Management | < 21.0 |
| Oracle | Webcenter Portal | 11.1.1.9.0 |
| Oracle | Banking Enterprise Default Management | 2.6.2 |
| Oracle | Banking Enterprise Default Managment | >= 2.3.0, <= 2.4.0 |
Related Weaknesses (CWE)
References
- https://github.com/ckeditor/ckeditor4ProductThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchVendor Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlNot ApplicableThird Party Advisory
- https://github.com/ckeditor/ckeditor4ProductThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
FAQ
What is CVE-2020-9281?
CVE-2020-9281 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with th...
How severe is CVE-2020-9281?
CVE-2020-9281 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-9281?
Check the references section above for vendor advisories and patch information. Affected products include: Ckeditor Ckeditor, Fedoraproject Fedora, Drupal Drupal, Oracle Agile Plm, Oracle Application Express.