CVE-2018-9861

Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element.

Database specific

{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:a:ckeditor:enhanced_image:*:*:*:*:*:ckeditor:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "4.5.10"
                },
                {
                    "fixed": "4.9.2"
                }
            ],
            "source": "CPE_FIELD",
            "vendor_product": "ckeditor:enhanced_image"
        }
    ]
}

References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type

GIT

Repo

https://github.com/drupal/drupal

Events

Introduced

35c2f3ca5c935f3d8bde15932a712677c9bbd50f

Fixed

b6180ca447761f5b1cad02e3e6f045548f23b72a

Introduced

b73ab73d39dca97a12513e8a9e4f4da4b0676f5f

Fixed

a2fc3b0428c283cac503544f134500bbceaa5028

Database specific

{
    "extracted_events": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.4.7"
        },
        {
            "introduced": "8.5.0"
        },
        {
            "fixed": "8.5.2"
        }
    ],
    "source": "CPE_FIELD",
    "cpe": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"
}

Affected versions

8.*

8.0.0

8.1.0-beta1

8.4.0

8.4.0-alpha1

8.4.0-beta1

8.4.0-rc1

8.4.0-rc2

8.4.1

8.4.3

8.4.4

8.4.5

8.4.6

8.5.0

8.5.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-9861.json"