Published
2022-03-16 12:00
CKEditor had a vulnerability that could allow execution of Javascript code.
The exact degree of exploitability for CiviCRM has not been determined.
Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions
All versions less than or equal to: 5.47.1, 5.46.2, 5.45.3
Fixed Versions
CiviCRM versions 5.47.2, 5.46.3, and 5.45.4 ESR
Publication Date
Solutions
Any ONE of the following:
- Upgrade to CiviCRM v5.47.2+, v5.46.3+, or v5.45.4+ ESR
- Manually upgrade CKEditor v4.18
Credits
Seamus Lee, Kevin Cristiano, and Tim Otten for adapting and validating on CiviCRM
CVE
CVE-2022-24728