← Back

CVE-2020-9281

nvd nist
Published: Mar 7, 2020Modified: Nov 21, 2024

JSON object

Loading...
6.1
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Exploitability: 2.8 / Impact: 2.7
Source: NVD

Description

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

Affected (24)

Products: Ckeditor: Ckeditor · Fedoraproject: Fedora · Drupal: Drupal · +1 more
Show all products
Ckeditor: Ckeditor · Fedoraproject: Fedora · Drupal: Drupal · Oracle: Agile Plm, Application Express, Jd Edwards Enterpriseone Tools, Peoplesoft Enterprise Peopletools, Siebel Apps Customer Order Management, Webcenter Portal, Banking Enterprise Default Management, Banking Enterprise Default Managment
Ckeditor
1 product
Ckeditor
Fedoraproject
1 product
Fedora
Drupal
1 product
Drupal
Oracle
8 products
Agile Plm
Application Express
Jd Edwards Enterpriseone Tools
Peoplesoft Enterprise Peopletools
Siebel Apps Customer Order Management
Webcenter Portal
Banking Enterprise Default Management
Banking Enterprise Default Managment
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Ckeditor
From 4.0 to 4.14
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Fedoraproject
Fedora
Version 30
Fedora
Version 31
Fedora
Version 32
Configuration C
2 vulnerable
Vulnerable SoftwareAffected Versions
Drupal
Drupal
From 8.7.0 to 8.7.12
Drupal
From 8.8.0 to 8.8.4
Configuration D
12 vulnerable
Vulnerable SoftwareAffected Versions
Oracle
Agile Plm
Version 9.3.5
Agile Plm
Version 9.3.6
Application Express
Before 20.2
Jd Edwards Enterpriseone Tools
Before 9.2.5.2
Oracle
Peoplesoft Enterprise Peopletools
All versions
Peoplesoft Enterprise Peopletools
Version 8.56
Peoplesoft Enterprise Peopletools
Version 8.57
Peoplesoft Enterprise Peopletools
Version 8.58
Siebel Apps Customer Order Management
Before 21.0
Oracle
Webcenter Portal
Version 11.1.1.9.0
Webcenter Portal
Version 12.2.1.3.0
Webcenter Portal
Version 12.2.1.4.0
Configuration E
6 vulnerable
Vulnerable SoftwareAffected Versions
Oracle
Banking Enterprise Default Management
Version 2.10.0
Banking Enterprise Default Management
Version 2.12.0
Banking Enterprise Default Management
Version 2.6.2
Banking Enterprise Default Management
Version 2.7.0
Banking Enterprise Default Management
Version 2.7.1
Banking Enterprise Default Managment
From 2.3.0 to 2.4.0

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (18)

Source: cve@mitre.org
ProductThird Party Advisory
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
PatchThird Party Advisory
Source: cve@mitre.org
PatchThird Party Advisory
Source: cve@mitre.org
PatchVendor Advisory
Source: cve@mitre.org
PatchThird Party Advisory
Source: cve@mitre.org
Not ApplicableThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ProductThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Not ApplicableThird Party Advisory

Timeline

No history available yet.