{"id":"CVE-2020-9440","details":"A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.","modified":"2026-03-14T08:23:44.075541Z","published":"2020-03-10T17:15:13.207Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/"},{"type":"ADVISORY","url":"https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ckeditor/ckeditor-releases","events":[{"introduced":"0"},{"last_affected":"870a561110a23435d78eda377400dca7f64d3bd3"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.0"}]}}],"versions":["4.0/standard"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"5.5.7.5"}]},{"events":[{"introduced":"0"},{"last_affected":"30"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"32"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-9440.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}