CVE-2022-24729

MEDIUM

CKEditor 4.0-4.17.2 - Denial of Service via Dialog Input Validator Regex

Title source: llm
STIX 2.1

Description

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

References (6)

Core 6

Scores

CVSS v3 6.5
EPSS 0.0245
EPSS Percentile 82.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-1333 CWE-400
Status published
Products (17)
ckeditor/ckeditor 4.0 - 4.18.0
drupal/drupal 8.0.0 - 9.2.15
fedoraproject/fedora 36
fedoraproject/fedora 37
oracle/application_express < 22.1.1
oracle/commerce_merchandising 11.3.2
oracle/financial_services_analytical_applications_infrastructure 8.1.1.0
oracle/financial_services_analytical_applications_infrastructure 8.1.2.0
oracle/financial_services_analytical_applications_infrastructure 8.1.2.1
oracle/financial_services_analytical_applications_infrastructure 8.0.7.0.0 - 8.1.0.0.0
... and 7 more
Published Mar 16, 2022
Tracked Since Feb 18, 2026