CVE-2020-27193

Опубликовано: 12 нояб. 2020

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.

Ссылки

https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/
Release Notes
Vendor Advisory
https://ckeditor.com/cke4/release/CKEditor-4.15.1
Release Notes
Vendor Advisory
https://ckeditor.com/ckeditor-4/download/
Release Notes
Vendor Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/
Release Notes
Vendor Advisory
https://ckeditor.com/cke4/release/CKEditor-4.15.1
Release Notes
Vendor Advisory
https://ckeditor.com/ckeditor-4/download/
Release Notes
Vendor Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:ckeditor:ckeditor:4.15.0:*:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*

Версия до 21.1.0.00.01 (исключая)

cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:commerce_merchandising:11.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:commerce_merchandising:11.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:commerce_merchandising:11.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:commerce_merchandising:11.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:commerce_merchandising:11.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*

Версия от 8.0.6 (включая) до 8.0.9 (включая)

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*

Версия до 9.2.6.0 (исключая)

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

EPSS

Процентиль: 63%

0.00438

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-4m44-5j2g-xf64

CVSS3: 6.1

github

больше 3 лет назад

Improper Neutralization of Input During Web Page Generation in CKEditor4

BDU:2021-02352

CVSS3: 6.1

fstec

около 5 лет назад

Уязвимость плагина Color Dialog WYSIWYG-редактора CKEditor, позволяющая нарушителю проводить межсайтовые сценарные атаки

EPSS

Процентиль: 63%

0.00438

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79