Vulnerability Description
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ckeditor | Ckeditor | >= 4.0, < 4.18.0 |
| Drupal | Drupal | >= 8.0.0, < 9.2.15 |
| Oracle | Application Express | < 22.1.1 |
| Oracle | Commerce Merchandising | 11.3.2 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.7.0.0, <= 8.1.0.0.0 |
| Oracle | Financial Services Behavior Detection Platform | >= 8.1.1.0, <= 8.1.2.1 |
| Oracle | Financial Services Trade-Based Anti Money Laundering | 8.0.7 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Fedoraproject | Fedora | 36 |
Related Weaknesses (CWE)
References
- https://ckeditor.com/cke4/release/CKEditor-4.18.0Release NotesVendor Advisory
- https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881PatchThird Party Advisory
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.drupal.org/sa-core-2022-005PatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://ckeditor.com/cke4/release/CKEditor-4.18.0Release NotesVendor Advisory
- https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881PatchThird Party Advisory
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.drupal.org/sa-core-2022-005PatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2022-24728?
CVE-2022-24728 is a vulnerability with a CVSS score of 5.4 (MEDIUM). CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to vers...
How severe is CVE-2022-24728?
CVE-2022-24728 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24728?
Check the references section above for vendor advisories and patch information. Affected products include: Ckeditor Ckeditor, Drupal Drupal, Oracle Application Express, Oracle Commerce Merchandising, Oracle Financial Services Analytical Applications Infrastructure.