A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted “protected” comment (with the cke_protected syntax).
A vulnerability has been found in CKeditor up to 4.13 and classified as problematic. This vulnerability affects an unknown code block of the component HTML Data Processor. The manipulation as part of a Comment leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-80. As an impact it is known to affect integrity.
An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.
The weakness was presented 03/07/2020. This vulnerability was named CVE-2020-9281 since 02/19/2020. The attack can be initiated remotely. There are neither technical details nor an exploit publicly available.
Upgrading to version 4.14 eliminates this vulnerability.