Skip to main content

Ckeditor CVE-2022-24729

HIGH
Uncontrolled Resource Consumption (CWE-400)
2022-03-16 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 16, 2022 - 17:15 nvd
HIGH 7.5

DescriptionNVD

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the dialog plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

AnalysisAI

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Technical ContextAI

This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the dialog plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds. Affected products include: Ckeditor, Drupal, Oracle Application Express, Oracle Commerce Merchandising, Oracle Financial Services Analytical Applications Infrastructure. Version information: version 4.18.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.

CVE-2023-31541 CRITICAL POC
9.8 Jun 13

A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3

CVE-2021-33829 MEDIUM POC
6.1 Jun 09

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1

CVE-2018-17960 MEDIUM POC
6.1 Nov 14

CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. Rated medium severity (CVSS 6.1), thi

CVE-2012-2067 MEDIUM
6.8 Sep 05

Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 a

CVE-2021-26272 MEDIUM
6.5 Jan 26

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL

CVE-2021-26271 MEDIUM
6.5 Jan 26

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted tex

CVE-2024-43407 MEDIUM
6.1 Aug 21

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2024-24816 MEDIUM
6.1 Feb 07

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2024-24815 MEDIUM
6.1 Feb 07

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2023-4771 MEDIUM
6.1 Nov 16

A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. Rated me

CVE-2023-28439 MEDIUM
6.1 Mar 22

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2020-27193 MEDIUM
6.1 Nov 12

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run

Share

CVE-2022-24729 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy