CVE-2022-24729

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions CKEditor4 versions prior to 4.18.0

Description The issue is related to the dialog plugin in CKEditor4, which contains a vulnerability allowing abuse of a dialog input validator regular expression. This can cause a significant performance drop, resulting in a browser tab freeze. The vulnerability can be exploited by a remote attacker to cause a denial of service.

Recommendations For CKEditor4 versions prior to 4.18.0, update to version 4.18.0 to resolve the issue. As a temporary workaround, consider disabling the dialog plugin until a patch is available. Restrict access to the dialog plugin to minimize the risk of exploitation. Avoid using the vulnerable regular expression in the dialog plugin until the issue is resolved. At the moment, there is no other information about additional workarounds.

Exploit

Fix

Resource Exhaustion

DoS

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-1333CWE-79

Related Identifiers

BDU:2022-07065

BIT-DRUPAL-2022-24728

BIT-DRUPAL-2022-24729

CVE-2022-24729

DRUPAL-CORE-2022-005

GHSA-4FC4-4P5G-6W89

GHSA-F6RF-9M92-X2HH

Affected Products

Ckeditor4

Debian

CVE-2022-24729

Weakness Enumeration

Related Identifiers

Affected Products

References · 27