CVE-2020-9281
Description
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CKEditor 4.x before 4.14 has an XSS vulnerability in its HTML Data Processor allowing attackers to inject arbitrary JavaScript via crafted protected comments.
The vulnerability is a stored cross-site scripting (XSS) issue in CKEditor 4's HTML Data Processor. The processor improperly handles "protected" comments using the cke_protected syntax, allowing an attacker to inject arbitrary HTML or JavaScript [1]. This affects CKEditor 4.0 through 4.13.
To exploit, an attacker must craft a comment with cke_protected markers containing malicious code. When the editor processes the HTML, the comment is stripped but the code remains, leading to XSS when the content is rendered. The attack requires no authentication if the editor is used on a publicly accessible page.
Successful exploitation allows arbitrary JavaScript execution in the context of the victim's session, potentially leading to data theft, session hijacking, or defacement. The vulnerability is rated medium severity.
The issue is fixed in CKEditor 4.14 released in February 2020 [1]. Users should upgrade. CKEditor 4 reached end of life in June 2023, but commercial LTS support continues until December 2028 [2]. No workaround is mentioned.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ckeditor4npm | < 4.14.0 | 4.14.0 |
Affected products
3- CKEditor/CKEditordescription
- osv-coords2 versions
>= 8.7.0, < 8.7.12+ 1 more
- (no CPE)range: >= 8.7.0, < 8.7.12
- (no CPE)range: < 4.14.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- github.com/advisories/GHSA-vcjf-mgcg-jxjqghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-9281ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNOghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4ghsaWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.