CVE-2020-9281

MEDIUM

CKEditor 4.0-4.13 - Cross-Site Scripting via Protected Comment Injection

Title source: llm
STIX 2.1

Description

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

References (9)

Core 9
Core References
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Product, Third Party Advisory x_refsource_misc
https://github.com/ckeditor/ckeditor4
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Not Applicable, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html

Scores

CVSS v3 6.1
EPSS 0.0119
EPSS Percentile 79.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (24)
ckeditor/ckeditor 4.0 - 4.14
drupal/drupal 8.7.0 - 8.7.12
fedoraproject/fedora 30
fedoraproject/fedora 31
fedoraproject/fedora 32
npm/ckeditor4 0 - 4.14.0npm
oracle/agile_plm 9.3.5
oracle/agile_plm 9.3.6
oracle/application_express < 20.2
oracle/banking_enterprise_default_management 2.6.2
... and 14 more
Published Mar 07, 2020
Tracked Since Feb 18, 2026