Lucene search

[email protected]CVE-2022-48110

HistoryFeb 13, 2023 - 8:15 p.m.

CVE-2022-48110

2023-02-1320:15:10

CWE-79

[email protected]

web.nvd.nist.gov

ckeditor

cksource

cve-2022-48110

xss

vulnerability

full featured

widget

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

37.3%

JSON

CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor’s position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false).

Affected configurations

NVD

Node

ckeditorckeditorMatch35.4.0node.js

CPENameOperatorVersion
ckeditor:ckeditorckeditoreq35.4.0

CPE	Name	Operator	Version
ckeditor:ckeditor	ckeditor	eq	35.4.0

References

ckeditor.com/docs/ckeditor5/latest/features/html-embed.html

packetstormsecurity.com/files/170927/CKSource-CKEditor5-35.4.0-Cross-Site-Scripting.html

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

37.3%

JSON

Related for CVE-2022-48110

ubuntucve1 github1 osv1 openvas1 cvelist1 nvd1 zdt2 prion1 packetstorm1 exploitdb1 ibm1