PT-2021-10120 · Ckeditor+1 · Ckeditor+1

Published

2021-04-29

Updated

2021-05-03

CVE-2020-18035

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Jeesns version 1.4.2

Description: The issue allows remote attackers to execute arbitrary code by injecting commands into the CKEditorFuncNum parameter in the CkeditorUploadController.java component. This is a Cross Site Scripting (XSS) issue.

Recommendations: For Jeesns version 1.4.2, consider disabling the CkeditorUploadController.java component or restricting access to the CKEditorFuncNum parameter until a patch is available. Avoid using the CKEditorFuncNum parameter in the affected component to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-18035

Affected Products

Ckeditor

Jeesns

PT-2021-10120 · Ckeditor+1 · Ckeditor+1

CVE-2020-18035

Weakness Enumeration

Related Identifiers

Affected Products

References · 4