Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Ckeditor Subscribe
Filtered by product Ckeditor
Total 19 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-48110 1 Ckeditor 1 Ckeditor 2023-02-23 N/A 6.1 MEDIUM
** DISPUTED ** CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false).
CVE-2022-24728 4 Ckeditor, Drupal, Fedoraproject and 1 more 9 Ckeditor, Drupal, Fedora and 6 more 2022-12-08 3.5 LOW 5.4 MEDIUM
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
CVE-2022-24729 4 Ckeditor, Drupal, Fedoraproject and 1 more 9 Ckeditor, Drupal, Fedora and 6 more 2022-12-08 5.0 MEDIUM 7.5 HIGH
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.
CVE-2021-41164 4 Ckeditor, Drupal, Fedoraproject and 1 more 10 Ckeditor, Drupal, Fedora and 7 more 2022-12-08 3.5 LOW 5.4 MEDIUM
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2021-41165 3 Ckeditor, Drupal, Oracle 9 Ckeditor, Drupal, Agile Product Lifecycle Management and 6 more 2022-10-05 3.5 LOW 5.4 MEDIUM
CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2020-9281 4 Ckeditor, Drupal, Fedoraproject and 1 more 11 Ckeditor, Drupal, Fedora and 8 more 2022-09-12 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
CVE-2020-9440 3 Ckeditor, Fedoraproject, Webspellchecker 3 Ckeditor, Fedora, Webspellchecker 2022-05-24 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.
CVE-2021-32809 3 Ckeditor, Fedoraproject, Oracle 10 Ckeditor, Fedora, Application Express and 7 more 2022-04-25 3.5 LOW 5.4 MEDIUM
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-26272 2 Ckeditor, Oracle 10 Ckeditor, Agile Plm, Application Express and 7 more 2022-03-01 4.3 MEDIUM 6.5 MEDIUM
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
CVE-2021-37695 4 Ckeditor, Debian, Fedoraproject and 1 more 12 Ckeditor, Debian Linux, Fedora and 9 more 2022-02-28 3.5 LOW 5.4 MEDIUM
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-32808 3 Ckeditor, Fedoraproject, Oracle 13 Ckeditor, Fedora, Application Express and 10 more 2022-02-28 3.5 LOW 5.4 MEDIUM
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2020-27193 2 Ckeditor, Oracle 9 Ckeditor, Agile Plm, Application Express and 6 more 2021-12-02 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.
CVE-2021-26271 2 Ckeditor, Oracle 7 Ckeditor, Agile Plm, Application Express and 4 more 2021-12-01 4.3 MEDIUM 6.5 MEDIUM
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
CVE-2021-33829 4 Ckeditor, Debian, Drupal and 1 more 4 Ckeditor, Debian Linux, Drupal and 1 more 2021-11-23 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
CVE-2011-4972 1 Ckeditor 1 Ckeditor 2019-11-18 5.0 MEDIUM 7.5 HIGH
hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request.
CVE-2018-17960 1 Ckeditor 1 Ckeditor 2019-07-16 4.3 MEDIUM 6.1 MEDIUM
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
CVE-2012-2067 2 Ckeditor, Drupal 3 Ckeditor, Fckeditor, Drupal 2017-08-28 6.8 MEDIUM N/A
Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter. NOTE: some of these details are obtained from third party information.
CVE-2012-2066 2 Ckeditor, Drupal 3 Ckeditor, Fckeditor, Drupal 2017-08-28 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2014-5191 1 Ckeditor 1 Ckeditor 2015-09-08 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.