Vulnerability DatabaseCVE-2022-24729

CVE-2022-24729:
Drupal vulnerability analysis and mitigation

Overview

CKEditor4, an open source what-you-see-is-what-you-get HTML editor, contained a vulnerability in the dialog plugin prior to version 4.18.0. The vulnerability (CVE-2022-24729) was discovered by the CKEditor 4 team during their regular security audit and disclosed on March 16, 2022. The issue affected the dialog plugin and any packages with dialog plugin dependency, including Link, Image, Enhanced Image, Code Snippet, and Iframe Dialog (GitHub Advisory).

Technical details

The vulnerability allowed abuse of a dialog input validator regular expression, which could cause a significant performance drop resulting in a browser tab freeze. This is classified as a Regular expression Denial of Service (ReDoS) vulnerability. The issue has been assigned a CVSS v3.1 base score of 7.5 HIGH by NVD, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

Impact

When exploited, the vulnerability could cause significant performance degradation leading to browser tab freezes, effectively creating a denial of service condition for affected users. The impact primarily affects availability, with no direct impact on confidentiality or integrity of the system (GitHub Advisory).

Mitigation and workarounds

The vulnerability was patched in CKEditor 4.18.0. Users are strongly recommended to upgrade to this version or later to address the security issue. There were no known workarounds available for this vulnerability prior to the patch (CKEditor Release).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

7.5

Score

Published March 16, 2022

Severity HIGH

CNA Score 6.5

Affected Technologies

Drupal
Oracle Peoplesoft Enterprise Peopletools

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 61.7

Exploitation Probability (EPSS) 0.4

Affected packages and libraries

ckeditor
ckeditor-samples

Sources

Debian Security Tracker
- Debian 10, 11 Severity MEDIUMNo FixAdded at: Mar 28, 2022
- Debian 12 Severity HIGHHas FixAdded at: Mar 28, 2022
NVD
- Linux Severity HIGHHas FixAdded at: Jul 11, 2022
- Windows Severity HIGHHas FixAdded at: Jul 11, 2022

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Drupal vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-48446	HIGH	8.8	PHP	cpe:2.3:a:drupal:drupal	No	Yes	Jun 11, 2025
CVE-2025-48445	HIGH	8.8	PHP	drupal/commerce_eurobank_redirect	No	Yes	Jun 11, 2025
CVE-2025-48447	HIGH	7.1	PHP	drupal/lightgallery	No	Yes	Jun 11, 2025
CVE-2025-48448	MEDIUM	6.5	PHP	drupal/admin_audit_trail	No	Yes	Jun 11, 2025
CVE-2025-48444	MEDIUM	5.3	PHP	drupal/quick_node_block	No	Yes	Jun 11, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2022-24729: Drupal vulnerability analysis and mitigation