CIVI-SA-2022-05: CKEditor v4.18

Published

2022-03-16 12:00

Written by

dev-team

CKEditor had a vulnerability that could allow execution of Javascript code.

The exact degree of exploitability for CiviCRM has not been determined.

Security Risk

Moderately Critical

Vulnerability

Cross Site Scripting

Affected Versions

All versions less than or equal to: 5.47.1, 5.46.2, 5.45.3

Fixed Versions

CiviCRM versions 5.47.2, 5.46.3, and 5.45.4 ESR

Publication Date

2022-03-16 - 12:00

Solutions

Any ONE of the following:

Upgrade to CiviCRM v5.47.2+, v5.46.3+, or v5.45.4+ ESR
Manually upgrade CKEditor v4.18

Credits

Seamus Lee, Kevin Cristiano, and Tim Otten for adapting and validating on CiviCRM

References

https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89

CVE

CVE-2022-24728

We are in the process of translating the civicrm.org website. Translations may not be available in all languages. Read more and participate.

© 2005 - 2023, CIVICRM LLC. All rights reserved.
CiviCRM and the CiviCRM logo are trademarks of CIVICRM LLC. Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.

[D8]

CIVI-SA-2022-05: CKEditor v4.18

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2022-05: CKEditor v4.18

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM