Description

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

Remediation

References

https://ckeditor.com/cke4/release/CKEditor-4.18.0

https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949

https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/

https://www.drupal.org/sa-core-2022-005

https://www.oracle.com/security-alerts/cpujul2022.html

Related Vulnerabilities

CVE-2021-39233 Vulnerability in maven package org.apache.ozone:ozone-main

CVE-2018-1000665 Vulnerability in maven package org.apache.geronimo.plugins:dojo

CVE-2019-17359 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15on

CVE-2023-34238 Vulnerability in npm package gatsby-cli

CVE-2023-45136 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Release Notes Vendor Advisory Patch Third Party Advisory