CVE-2022-31175 Vulnerability Details

  /     /     /  

CVE-2022-31175 Metadata Quick Info

CVE Published: 03/08/2022 | CVE Updated: 03/08/2024 | CVE Year: 2022
Source: GitHub_M | Vendor: ckeditor | Product: ckeditor5
Status : PUBLISHED

---

CVE-2022-31175 Description

CKEditor 5 is a JavaScript rich text editor. A cross-site scripting vulnerability has been discovered affecting three optional CKEditor 5\'s packages in versions prior to 35.0.1. The vulnerability allowed to trigger a JavaScript code after fulfilling special conditions. The affected packages are `@ckeditor/ckeditor5-markdown-gfm`, `@ckeditor/ckeditor5-html-support`, and `@ckeditor/ckeditor5-html-embed`. The specific conditions are 1) Using one of the affected packages. In case of `ckeditor5-html-support` and `ckeditor5-html-embed`, additionally, it was required to use a configuration that allows unsafe markup inside the editor. 2) Destroying the editor instance and 3) Initializing the editor on an element and using an element other than `` as a base. The root cause of the issue was a mechanism responsible for updating the source element with the markup coming from the CKEditor 5 data pipeline after destroying the editor. This vulnerability might affect a small percent of integrators that depend on dynamic editor initialization/destroy and use Markdown, General HTML Support or HTML embed features. The problem has been recognized and patched. The fix is available in version 35.0.1. There are no known workarounds for this issue. <br /><br /> <h2>Metrics</h2> <span style = "font-size:14px;" >CVSS Version: 3.1</span> | <span style = "font-size:14px;" >Base Score: 5.8 MEDIUM</span><br /> <span style = "font-size:14px;" >Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L</span> <br /><br /> <span style = "font-size:14px;" ><strong>l➤ Exploitability Metrics:</strong><br /> <span style = "font-size:14px;" >     Attack Vector (AV)* NETWORK</span> <br /> <span style = "font-size:14px;" >     Attack Complexity (AC)* HIGH</span> <br /> <span style = "font-size:14px;" >     Privileges Required (PR)* NONE</span> <br /> <span style = "font-size:14px;" >     User Interaction (UI)* REQUIRED</span> <br /> <span style = "font-size:14px;" >     Scope (S)* CHANGED</span> <br /><br /> <span style = "font-size:14px;" ><strong>l➤ Impact Metrics:</strong><br /> <span style = "font-size:14px;" >     Confidentiality Impact (C)* LOW</span> <br /> <span style = "font-size:14px;" >     Integrity Impact (I)* LOW</span> <br /> <span style = "font-size:14px;" >     Availability Impact (A)* LOW</span> <br /><br /> <h2>Weakness Enumeration (CWE)</h2> <span style = "font-size:14px;" >CWE-ID: CWE-79</span> <br /> <span style = "font-size:14px;" >CWE Name: CWE-79: Improper Neutralization of Input During Web Page Generation ( Cross-site Scripting )</span> <br /> <span style = "font-size:14px;" >Source: ckeditor</span> <br /><br /> <h2>Common Attack Pattern Enumeration and Classification (CAPEC)</h2> <span style = "font-size:14px;" >CAPEC-ID: </span> <br /> <span style = "font-size:14px;" >CAPEC Description: </span> <br /><br /><br /> <span style = "font-size:12px;"> Source: NVD (National Vulnerability Database). </span> </p> </div> </div> </section> <section class="defend"> <div class="inner-section"> <div class="gridx2"> <div class="grid-text"> <caption> <!-- <h2></h2> <br /> --> </caption> <table class="report-table"> <caption> Last added CVEs </caption> <tr> <td> <a href = ""> <svg xmlns="http://www.w3.org/2000/svg" width="25" height="25" fill="currentColor" class="bi bi-bug" viewBox="0 0 16 16"> <path d="M4.355.522a.5.5 0 0 1 .623.333l.291.956A5 5 0 0 1 8 1c1.007 0 1.946.298 2.731.811l.29-.956a.5.5 0 1 1 .957.29l-.41 1.352A5 5 0 0 1 13 6h.5a.5.5 0 0 0 .5-.5V5a.5.5 0 0 1 1 0v.5A1.5 1.5 0 0 1 13.5 7H13v1h1.5a.5.5 0 0 1 0 1H13v1h.5a1.5 1.5 0 0 1 1.5 1.5v.5a.5.5 0 1 1-1 0v-.5a.5.5 0 0 0-.5-.5H13a5 5 0 0 1-10 0h-.5a.5.5 0 0 0-.5.5v.5a.5.5 0 1 1-1 0v-.5A1.5 1.5 0 0 1 2.5 10H3V9H1.5a.5.5 0 0 1 0-1H3V7h-.5A1.5 1.5 0 0 1 1 5.5V5a.5.5 0 0 1 1 0v.5a.5.5 0 0 0 .5.5H3c0-1.364.547-2.601 1.432-3.503l-.41-1.352a.5.5 0 0 1 .333-.623M4 7v4a4 4 0 0 0 3.5 3.97V7zm4.5 0v7.97A4 4 0 0 0 12 11V7zM12 6a4 4 0 0 0-1.334-2.982A3.98 3.98 0 0 0 8 2a3.98 3.98 0 0 0-2.667 1.018A4 4 0 0 0 4 6z"/> </svg><br /> ▸ CVE-2024-9999 ◂<br /> Discovered: 12/11/2024<br /> Status: PUBLISHED </a> </td> <td> <a href = ""> <svg xmlns="http://www.w3.org/2000/svg" width="25" height="25" fill="currentColor" class="bi bi-bug" viewBox="0 0 16 16"> <path d="M4.355.522a.5.5 0 0 1 .623.333l.291.956A5 5 0 0 1 8 1c1.007 0 1.946.298 2.731.811l.29-.956a.5.5 0 1 1 .957.29l-.41 1.352A5 5 0 0 1 13 6h.5a.5.5 0 0 0 .5-.5V5a.5.5 0 0 1 1 0v.5A1.5 1.5 0 0 1 13.5 7H13v1h1.5a.5.5 0 0 1 0 1H13v1h.5a1.5 1.5 0 0 1 1.5 1.5v.5a.5.5 0 1 1-1 0v-.5a.5.5 0 0 0-.5-.5H13a5 5 0 0 1-10 0h-.5a.5.5 0 0 0-.5.5v.5a.5.5 0 1 1-1 0v-.5A1.5 1.5 0 0 1 2.5 10H3V9H1.5a.5.5 0 0 1 0-1H3V7h-.5A1.5 1.5 0 0 1 1 5.5V5a.5.5 0 0 1 1 0v.5a.5.5 0 0 0 .5.5H3c0-1.364.547-2.601 1.432-3.503l-.41-1.352a.5.5 0 0 1 .333-.623M4 7v4a4 4 0 0 0 3.5 3.97V7zm4.5 0v7.97A4 4 0 0 0 12 11V7zM12 6a4 4 0 0 0-1.334-2.982A3.98 3.98 0 0 0 8 2a3.98 3.98 0 0 0-2.667 1.018A4 4 0 0 0 4 6z"/> </svg><br /> ▸ CVE-2024-9997 ◂<br /> Discovered: 29/10/2024<br /> Status: PUBLISHED </a> </td> <td> <a href = ""> <svg xmlns="http://www.w3.org/2000/svg" width="25" height="25" fill="currentColor" class="bi bi-bug" viewBox="0 0 16 16"> <path d="M4.355.522a.5.5 0 0 1 .623.333l.291.956A5 5 0 0 1 8 1c1.007 0 1.946.298 2.731.811l.29-.956a.5.5 0 1 1 .957.29l-.41 1.352A5 5 0 0 1 13 6h.5a.5.5 0 0 0 .5-.5V5a.5.5 0 0 1 1 0v.5A1.5 1.5 0 0 1 13.5 7H13v1h1.5a.5.5 0 0 1 0 1H13v1h.5a1.5 1.5 0 0 1 1.5 1.5v.5a.5.5 0 1 1-1 0v-.5a.5.5 0 0 0-.5-.5H13a5 5 0 0 1-10 0h-.5a.5.5 0 0 0-.5.5v.5a.5.5 0 1 1-1 0v-.5A1.5 1.5 0 0 1 2.5 10H3V9H1.5a.5.5 0 0 1 0-1H3V7h-.5A1.5 1.5 0 0 1 1 5.5V5a.5.5 0 0 1 1 0v.5a.5.5 0 0 0 .5.5H3c0-1.364.547-2.601 1.432-3.503l-.41-1.352a.5.5 0 0 1 .333-.623M4 7v4a4 4 0 0 0 3.5 3.97V7zm4.5 0v7.97A4 4 0 0 0 12 11V7zM12 6a4 4 0 0 0-1.334-2.982A3.98 3.98 0 0 0 8 2a3.98 3.98 0 0 0-2.667 1.018A4 4 0 0 0 4 6z"/> </svg><br /> ▸ CVE-2024-9996 ◂<br /> Discovered: 29/10/2024<br /> Status: PUBLISHED </a> </td> </tr> </table> <caption> <br /><br /><br /> <p class="vuln-info"> <strong>Tags:</strong><br /> CVE-2022-31175 Vulnerability Details </p> </caption> <br /> </div> </div> </div> </section> <footer> <div class="footer-logo"> <svg xmlns="http://www.w3.org/2000/svg" width="58" height="58" fill="#f18a3b" class="bi bi-cloud-download" viewBox="0 0 16 16"> <path d="M4.406 1.342A5.53 5.53 0 0 1 8 0c2.69 0 4.923 2 5.166 4.579C14.758 4.804 16 6.137 16 7.773 16 9.569 14.502 11 12.687 11H10a.5.5 0 0 1 0-1h2.688C13.979 10 15 8.988 15 7.773c0-1.216-1.02-2.228-2.313-2.228h-.5v-.5C12.188 2.825 10.328 1 8 1a4.53 4.53 0 0 0-2.941 1.1c-.757.652-1.153 1.438-1.153 2.055v.448l-.445.049C2.064 4.805 1 5.952 1 7.318 1 8.785 2.23 10 3.781 10H6a.5.5 0 0 1 0 1H3.781C1.708 11 0 9.366 0 7.318c0-1.763 1.266-3.223 2.942-3.593.143-.863.698-1.723 1.464-2.383"/> <path d="M7.646 15.854a.5.5 0 0 0 .708 0l3-3a.5.5 0 0 0-.708-.708L8.5 14.293V5.5a.5.5 0 0 0-1 0v8.793l-2.146-2.147a.5.5 0 0 0-.708.708z"/> </svg> <span style = "font-size: 22px; color: #fff; padding: 0 10px;"> Free Software Downloads, News and Reviews </span> </div> <div class="footer-inner"> <div class="footer-column"> <strong>Info</strong> <ul> </ul> </div> <div class="footer-column"> <strong>Legal</strong> <ul> <li><a title = "GDPR" href="#">GDPR</a></li> <li><a title = "Contact" href="https://freedownloadsnow.com/contact">Contact</a></li> <li><a title = "ToS" href="#">ToS</a></li> <li><a title = "Sitemap" href="https://freedownloadsnow.com/sitemap">Sitemap</a></li> </ul> </div> <div class="footer-column"> <strong>Partners</strong> <ul> <li> <a target="_blank" title = "Curs Cybersecurity" href="https://www.curs-cybersecurity.ro/"> <svg xmlns="http://www.w3.org/2000/svg" width="15" height="15" fill="currentColor" class="bi bi-shield-fill-check" viewBox="0 0 16 16"> <path fill-rule="evenodd" d="M8 0c-.69 0-1.843.265-2.928.56-1.11.3-2.229.655-2.887.87a1.54 1.54 0 0 0-1.044 1.262c-.596 4.477.787 7.795 2.465 9.99a11.8 11.8 0 0 0 2.517 2.453c.386.273.744.482 1.048.625.28.132.581.24.829.24s.548-.108.829-.24a7 7 0 0 0 1.048-.625 11.8 11.8 0 0 0 2.517-2.453c1.678-2.195 3.061-5.513 2.465-9.99a1.54 1.54 0 0 0-1.044-1.263 63 63 0 0 0-2.887-.87C9.843.266 8.69 0 8 0m2.146 5.146a.5.5 0 0 1 .708.708l-3 3a.5.5 0 0 1-.708 0l-1.5-1.5a.5.5 0 1 1 .708-.708L7.5 7.793z"></path> </svg> Curs-cybersecurity.ro </a> </li> </ul> </div> <div class="footer-column"> <strong>Last News</strong> <ul> <li> <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-calendar" viewBox="0 0 16 16"> <path d="M3.5 0a.5.5 0 0 1 .5.5V1h8V.5a.5.5 0 0 1 1 0V1h1a2 2 0 0 1 2 2v11a2 2 0 0 1-2 2H2a2 2 0 0 1-2-2V3a2 2 0 0 1 2-2h1V.5a.5.5 0 0 1 .5-.5M1 4v10a1 1 0 0 0 1 1h12a1 1 0 0 0 1-1V4z"/> </svg> 01/07/2025 <a title = "ArcSight prepares for future at user conference post HP acquisition" href ="https://freedownloadsnow.com/news/news-ArcSight-prepares-for-future-at-user-conference-post-HP-acquisition-id29445"> ArcSight prepares for ... </a><br> <li> </ul> <ul> <li> <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-calendar" viewBox="0 0 16 16"> <path d="M3.5 0a.5.5 0 0 1 .5.5V1h8V.5a.5.5 0 0 1 1 0V1h1a2 2 0 0 1 2 2v11a2 2 0 0 1-2 2H2a2 2 0 0 1-2-2V3a2 2 0 0 1 2-2h1V.5a.5.5 0 0 1 .5-.5M1 4v10a1 1 0 0 0 1 1h12a1 1 0 0 0 1-1V4z"/> </svg> 01/07/2025 <a title = "Samsung Epic 4G: First To Use Media Hub" href ="https://freedownloadsnow.com/news/news-Samsung-Epic-4G:-First-To-Use-Media-Hub-id29444"> Samsung Epic 4G: ... </a><br> <li> </ul> <ul> <li> <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-calendar" viewBox="0 0 16 16"> <path d="M3.5 0a.5.5 0 0 1 .5.5V1h8V.5a.5.5 0 0 1 1 0V1h1a2 2 0 0 1 2 2v11a2 2 0 0 1-2 2H2a2 2 0 0 1-2-2V3a2 2 0 0 1 2-2h1V.5a.5.5 0 0 1 .5-.5M1 4v10a1 1 0 0 0 1 1h12a1 1 0 0 0 1-1V4z"/> </svg> 01/07/2025 <a title = "Many third-party software fails security tests" href ="https://freedownloadsnow.com/news/news-Many-third-party-software-fails-security-tests-id29443"> Many third-party software ... </a><br> <li> </ul> </div> </div> <div> <div class="footer-social"> <a class="facebook" href="#">facebook</a> <a class="twitter" href="#">twitter</a> <a class="youtube" href="#">youtube</a> <a class="linkedin" href="#">linkedin</a> </div> <p class="copyright"><span>Copyright © 2025 Free Downloads Now</span></p> </div> </footer> </body> </html>