CIVI-SA-2022-05: CKEditor v4.18

Publicat
2022-03-16 12:00
Written by

CKEditor had a vulnerability that could allow execution of Javascript code.

The exact degree of exploitability for CiviCRM has not been determined.

Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions

All versions less than or equal to: 5.47.1, 5.46.2, 5.45.3

Fixed Versions

CiviCRM versions 5.47.2, 5.46.3, and 5.45.4 ESR

Publication Date
Solutions

Any ONE of the following:

  • Upgrade to CiviCRM v5.47.2+, v5.46.3+, or v5.45.4+ ESR
  • Manually upgrade CKEditor v4.18
Credits

Seamus Lee, Kevin Cristiano, and Tim Otten for adapting and validating on CiviCRM

CVE
CVE-2022-24728