Update your CKEditor 4 installation to the latest version 4.18.0 or higher.

There are newer versions of CKEditor available. CKEditor5 is a professional WYSIWYG HTML editor for building and editing rich internet applications. It is widely used for building websites, mobile apps, and project documentation. CKEditor5 is widely used in commercial products and on publicly available websites. CKEditor5 has been updated to version 4.17.3. There are currently no known workarounds.

What is CKEditor?

CKEditor is one of the most popular, easy to use and powerful WYSIWYG HTML editor for building and editing rich internet applications. CKEditor5 is widely used in commercial products and on publicly available websites. CKEditor5 has been updated to version 4.17.3; however, there are currently no known workarounds.

References:

CKEditor 4.18.0: https://ckeditor.com/downloads/4.18.0
CKEditor 5.17.3: https://ckeditor.com/downloads/5.17.3

Description of the issue

The latest version of CKEditor 4 is 4.18.0 and higher. Update your CKEditor 4 installation to the latest version 4.18.0 or higher to avoid this vulnerability.

CWE-2022 Improper Neutralization of Special Elements In Web Applications

The vulnerability is known as CVE-2022-24728.

A vulnerability was discovered in the CKEditor 4 web application. This vulnerability can be exploited by an attacker to execute arbitrary PHP code via special HTML tags that are not properly sanitized before being used. The vulnerability allows for an attacker to execute arbitrary PHP code within the context of the requesting site.

Timeline

Published on: 03/16/2022 16:15:00 UTC
Last modified on: 07/25/2022 18:21:00 UTC

References