CVE-2020-27193

MEDIUM

CKEditor 4.15.0 - Cross-Site Scripting via Color Dialog Plugin

Title source: llm
STIX 2.1

Description

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.

References (6)

Core 6
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://ckeditor.com/ckeditor-4/download/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Release Notes, Vendor Advisory x_refsource_confirm
https://ckeditor.com/cke4/release/CKEditor-4.15.1
Release Notes, Vendor Advisory x_refsource_confirm
https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html

Scores

CVSS v3 6.1
EPSS 0.0202
EPSS Percentile 78.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (24)
ckeditor/ckeditor 4.15.0
npm/ckeditor4 0 - 4.15.1npm
oracle/agile_plm 9.3.5
oracle/agile_plm 9.3.6
oracle/application_express < 21.1.0.00.01
oracle/banking_party_management 2.7.0
oracle/banking_platform 2.4.0
oracle/banking_platform 2.7.0
oracle/banking_platform 2.7.1
oracle/banking_platform 2.8.0
... and 14 more
Published Nov 12, 2020
Tracked Since Feb 18, 2026