CVE-2020-9440: XSS
First published: Tue Mar 10 2020(Updated: )
A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ckeditor Ckeditor | =4.0 | |
| Webspellchecker Webspellchecker | <=5.5.7.5 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/177487
- https://exchange.xforce.ibmcloud.com/vulnerabilities/180875
- https://www.ibm.com/support/pages/node/6520510 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/
Frequently Asked Questions
What is CVE-2020-9440?
CVE-2020-9440 is a vulnerability in jQuery that allows for cross-site scripting attacks.
How does CVE-2020-9440 work?
CVE-2020-9440 occurs due to improper validation of user-supplied input by the HTML() function in jQuery, which can be exploited by a remote attacker to execute scripts in a victim's browser within the context of the hosting website.
What is the severity level of CVE-2020-9440?
CVE-2020-9440 has a severity level of medium, with a CVSS score of 6.1.
How can I fix the vulnerability CVE-2020-9440?
To fix the vulnerability CVE-2020-9440, it is recommended to update to a patched version of jQuery that addresses the issue.
Where can I find more information about CVE-2020-9440?
You can find more information about CVE-2020-9440 on the IBM X-Force Exchange website at the following links: [CVE-2020-9440](https://exchange.xforce.ibmcloud.com/vulnerabilities/177487) and [CVE-2020-9440](https://exchange.xforce.ibmcloud.com/vulnerabilities/180875).
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/severity
- agent/author
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/tags
- agent/first-publish-date
- agent/event
- agent/trending
- vendor/ckeditor
- canonical/ckeditor ckeditor
- version/ckeditor ckeditor/4.0
- vendor/webspellchecker
- canonical/webspellchecker webspellchecker
- version/webspellchecker webspellchecker/5.5.7.5
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32