CVE-2020-9281

moderate-risk

Published 2020-03-07

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

Do I need to act?

1.2% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Ckeditor

Fedora

Drupal

Agile Plm

Application Express

Jd Edwards Enterpriseone Tools

Peoplesoft Enterprise Peopletools

Siebel Apps - Customer Order Management

Webcenter Portal

Banking Enterprise Default Management

Affected Vendors

Oracle Drupal Fedoraproject Ckeditor

References (18)

Product https://github.com/ckeditor/ckeditor4

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Patch https://www.oracle.com/security-alerts/cpuApr2021.html

Patch https://www.oracle.com/security-alerts/cpujan2021.html

Patch https://www.oracle.com/security-alerts/cpujan2022.html

Patch https://www.oracle.com/security-alerts/cpuoct2020.html

Not Applicable https://www.oracle.com/security-alerts/cpuoct2021.html

Product https://github.com/ckeditor/ckeditor4

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Patch https://www.oracle.com/security-alerts/cpuApr2021.html

Patch https://www.oracle.com/security-alerts/cpujan2021.html

Patch https://www.oracle.com/security-alerts/cpujan2022.html

Patch https://www.oracle.com/security-alerts/cpuoct2020.html

Not Applicable https://www.oracle.com/security-alerts/cpuoct2021.html

/ 100

moderate-risk

Severity 23/34 · High

Exploitability 4/34 · Minimal

Exposure 21/34 · High