CKEditor: HTML processing module CVE-2022-24729 

Issue date: 29-06-2022
Affects versions: 15.0, 14.7, 13.4

Security Issue ID

SECURITY-316

 

Affected Product Version(s)

13.4.17, 15.0.1, 14.7.7 and all previous versions


Severity 

medium/high


Description

CVE-2022-24729

CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

Instructions

Update to the latest version.