Search for vulnerabilities
Vulnerability details: VCID-39xu-3gsh-hbe9
Vulnerability ID VCID-39xu-3gsh-hbe9
Aliases CVE-2022-24728
GHSA-4fc4-4p5g-6w89
Summary CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00668 https://api.first.org/data/v1/epss?cve=CVE-2022-24728
cvssv3.1 5.4 https://ckeditor.com/cke4/release/CKEditor-4.18.0
generic_textual MODERATE https://ckeditor.com/cke4/release/CKEditor-4.18.0
ssvc Track https://ckeditor.com/cke4/release/CKEditor-4.18.0
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-4fc4-4p5g-6w89
cvssv3.1 5.4 https://github.com/ckeditor/ckeditor4
generic_textual MODERATE https://github.com/ckeditor/ckeditor4
cvssv3.1 5.4 https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949
generic_textual MODERATE https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949
ssvc Track https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949
cvssv3.1 5.4 https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
cvssv3.1_qr MODERATE https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
generic_textual MODERATE https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
ssvc Track https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
cvssv3.1 5.4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
cvssv3.1 5.4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
cvssv3.1 5.4 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6
cvssv3.1 5.4 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP
cvssv3.1 5.4 https://nvd.nist.gov/vuln/detail/CVE-2022-24728
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-24728
cvssv3.1 5.4 https://securitylab.github.com/advisories/GHSL-2022-009_ckeditor4
generic_textual MODERATE https://securitylab.github.com/advisories/GHSL-2022-009_ckeditor4
cvssv3.1 5.4 https://www.drupal.org/sa-core-2022-005
generic_textual MODERATE https://www.drupal.org/sa-core-2022-005
ssvc Track https://www.drupal.org/sa-core-2022-005
cvssv3.1 5.4 https://www.oracle.com/security-alerts/cpujul2022.html
generic_textual MODERATE https://www.oracle.com/security-alerts/cpujul2022.html
ssvc Track https://www.oracle.com/security-alerts/cpujul2022.html
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-24728
https://ckeditor.com/cke4/release/CKEditor-4.18.0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24728
https://github.com/ckeditor/ckeditor4
https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
https://nvd.nist.gov/vuln/detail/CVE-2022-24728
https://securitylab.github.com/advisories/GHSL-2022-009_ckeditor4
https://securitylab.github.com/advisories/GHSL-2022-009_ckeditor4/
https://www.drupal.org/sa-core-2022-005
https://www.oracle.com/security-alerts/cpujul2022.html
1015217 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015217
GHSA-4fc4-4p5g-6w89 https://github.com/advisories/GHSA-4fc4-4p5g-6w89
USN-7258-1 https://usn.ubuntu.com/7258-1/
VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://ckeditor.com/cke4/release/CKEditor-4.18.0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:59Z/ Found at https://ckeditor.com/cke4/release/CKEditor-4.18.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/ckeditor/ckeditor4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:59Z/ Found at https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:59Z/ Found at https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:59Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:59Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-24728
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://securitylab.github.com/advisories/GHSL-2022-009_ckeditor4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://www.drupal.org/sa-core-2022-005
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:59Z/ Found at https://www.drupal.org/sa-core-2022-005
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://www.oracle.com/security-alerts/cpujul2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:08:59Z/ Found at https://www.oracle.com/security-alerts/cpujul2022.html
Exploit Prediction Scoring System (EPSS)
Percentile 0.70292
EPSS Score 0.00668
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:19:40.662229+00:00 Ubuntu USN Importer Import https://usn.ubuntu.com/7258-1/ 36.1.3