Description
Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element.
References (4)
Core 4
Core References
Release Notes x_refsource_confirm
https://github.com/ckeditor/ckeditor-dev/blob/master/CHANGES.md
Third Party Advisory x_refsource_confirm
https://www.drupal.org/sa-core-2018-003
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103924
Vendor Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Scores
CVSS v3
6.1
EPSS
0.0037
EPSS Percentile
58.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (5)
ckeditor/enhanced_image
4.5.10 - 4.9.2
drupal/core
8.5.0 - 8.5.2Packagist
drupal/drupal
8.0 - 8.4.7Packagist
drupal/drupal
8.0.0 - 8.4.7
npm/ckeditor-dev
4.5.10 - 4.9.2npm
Published
Apr 19, 2018
Tracked Since
Feb 18, 2026