CVE-2021-26272
published 2021-01-26CVE-2021-26272: It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then…
medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ckeditor | ckeditor | >= 0 < 4.16.0+dfsg-1 | 4.16.0+dfsg-1 |
| ckeditor | ckeditor | >= 0 < 4.16.0+dfsg-1 | 4.16.0+dfsg-1 |
| ckeditor | ckeditor | >= 4.0 < 4.16 | 4.16 |
| ckeditor | ckeditor4 | >= 0 < 4.16.0 | 4.16.0 |
| debian | ckeditor | < ckeditor 4.16.0+dfsg-1 (bookworm) | ckeditor 4.16.0+dfsg-1 (bookworm) |
| debian | ckeditor3 | < ckeditor 4.16.0+dfsg-1 (bookworm) | ckeditor 4.16.0+dfsg-1 (bookworm) |
| oracle | agile_plm | — | — |
| oracle | agile_plm | — | — |
| oracle | application_express | < 21.1.0 | 21.1.0 |
| oracle | banking_party_management | — | — |
| oracle | commerce_merchandising | — | — |
| oracle | commerce_merchandising | — | — |
| oracle | commerce_merchandising | 11.3.0 – 11.3.2 | — |
| oracle | financial_services_analytical_applications_infrastructure | — | — |
| oracle | financial_services_analytical_applications_infrastructure | — | — |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.6 – 8.0.9 | — |
| oracle | financial_services_model_management_and_governance | 8.0.8.0.0 – 8.1.0.0.0 | — |
| oracle | jd_edwards_enterpriseone_tools | < 9.2.6.0 | 9.2.6.0 |
| oracle | siebel_ui_framework | <= 21.9 | — |
| oracle | webcenter_sites | — | — |
| oracle | webcenter_sites | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
osv6.5MEDIUM