CVE-2020-27193
MEDIUMCKEditor 4.15.0 - Cross-Site Scripting via Color Dialog Plugin
Title source: llmDescription
A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.
References (6)
Core 6
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://ckeditor.com/ckeditor-4/download/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Release Notes, Vendor Advisory x_refsource_confirm
https://ckeditor.com/cke4/release/CKEditor-4.15.1
Release Notes, Vendor Advisory x_refsource_confirm
https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Scores
CVSS v3
6.1
EPSS
0.0202
EPSS Percentile
78.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (24)
ckeditor/ckeditor
4.15.0
npm/ckeditor4
0 - 4.15.1npm
oracle/agile_plm
9.3.5
oracle/agile_plm
9.3.6
oracle/application_express
< 21.1.0.00.01
oracle/banking_party_management
2.7.0
oracle/banking_platform
2.4.0
oracle/banking_platform
2.7.0
oracle/banking_platform
2.7.1
oracle/banking_platform
2.8.0
... and 14 more
Published
Nov 12, 2020
Tracked Since
Feb 18, 2026