Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-24728

Good to know:

icon

Date: March 15, 2022

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

Language: JS

Severity Score

Related Resources (13)

https://ckeditor.com/cke4/release/CKEditor-4.18.0
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP
https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
https://securitylab.github.com/advisories/GHSL-2022-009_ckeditor4
https://www.drupal.org/sa-core-2022-005
https://github.com/ckeditor/ckeditor4
https://nvd.nist.gov/vuln/detail/CVE-2022-24728
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6
https://www.oracle.com/security-alerts/cpujul2022.html
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
https://www.mend.io/vulnerability-database/CVE-2022-24728

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version limesurvey/limesurvey - dev-develop-develop;limesurvey/limesurvey - dev-quota-remote-disable2;limesurvey/limesurvey - dev-fix-model-relations;limesurvey/limesurvey - dev-snyk-upgrade-8e8193a6a781d5929de6292963cd2a21;limesurvey/limesurvey - 5.3.7+220328;limesurvey/limesurvey - 4.0.0-alpha+181212;limesurvey/limesurvey - dev-survey-defaultsettings;limesurvey/limesurvey - dev-fixv3-16987;limesurvey/limesurvey - 3.28.18+220706;limesurvey/limesurvey - dev-fix-composer-license-format;limesurvey/limesurvey - dev-snyk-upgrade-66feccfba764223474d4b09ea736da24;limesurvey/limesurvey - 4.1.17+200414;limesurvey/limesurvey - 3.27.33+220125;limesurvey/limesurvey - dev-detached;limesurvey/limesurvey - dev-detached2;limesurvey/limesurvey - 6.0.0+230405;limesurvey/limesurvey - 3.23.5+200923;limesurvey/limesurvey - dev-snyk-upgrade-09b43073972851b96ebd7683ed5b21ab;limesurvey/limesurvey - dev-clicks-test3;limesurvey/limesurvey - dev-fix-16987;limesurvey/limesurvey - dev-display-import-errors-master;limesurvey/limesurvey - dev-querybuilder1;limesurvey/limesurvey - dev-dependabot/npm_and_yarn/assets/packages/lstutorial/loader-utils-2.0.3;limesurvey/limesurvey - dev-add-before-get-template-event;limesurvey/limesurvey - 3.0.0-beta.1+170720;limesurvey/limesurvey - dev-basic;limesurvey/limesurvey - no_fix;limesurvey/limesurvey - dev-fix-relations-20230411;limesurvey/limesurvey - 5.3.26+220720;limesurvey/limesurvey - dev-fix-tests;limesurvey/limesurvey - 2.65.2+170606;limesurvey/limesurvey - 3.27.35+220208;limesurvey/limesurvey - 3.28.14+220608;limesurvey/limesurvey - dev-fix-typo;limesurvey/limesurvey - 6.0.1+230411;limesurvey/limesurvey - 3.27.28+211208;limesurvey/limesurvey - dev-survey-booleans3;limesurvey/limesurvey - dev-dependabot/npm_and_yarn/assets/packages/lstutorial/terser-5.14.2;intelogie/ckeditor-prod - no_fix;intelogie/ckeditor-dev - no_fix;kevinchappell/form-builder - dev-dependabot/npm_and_yarn/lodash-4.17.21;ckeditor - no_fix;gfrodriguez/yii2-ckeditor - no_fix;ahyadessam/laravel-adminlte - 1.0.5;ahyadessam/laravel-adminlte - no_fix;sagsoz06/adminlte-theme - no_fix;ckeditor4 - 4.18.0;benit/ckeditor-dev - 4.0.0;org.webjars.npm:github-com-ckeditor-ckeditor4:no_fix;org.webjars.npm:github-com-ckeditor-ckeditor-dev:no_fix

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): SINGLE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us