CVE-2022-24728
Cross-site Scripting in CKEditor4
5.4
MEDIUM
CVSS 3.1
EPSS 0.99%
Description
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
How to fix CVE-2022-24728
To remediate CVE-2022-24728, upgrade the affected package to a fixed version below.
- —upgrade to 9.2.15 or later
- —upgrade to 9.2.15 or later
- —no fix listed
- —no fix listed
- —upgrade to 4.18.0 or later
- —upgrade to 9.2.15 or later
Is CVE-2022-24728 being exploited?
Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- >= 8.0.0, < 9.2.15, >= 9.3.0, < 9.3.8
- >= 8.0.0, < 9.2.15, >= 9.3.0, < 9.3.8
- from 0
- from 0
- from 0, < 4.18.0
- >= 8.0.0, < 9.2.15 | >= 9.3.0, < 9.3.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |