cbcvebase.
CVE-2021-33829
published 2021-06-09

CVE-2021-33829: A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject…

PriorityP339medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
3.19%
86.5th percentile
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.

Affected

25 ranges
VendorProductVersion rangeFixed in
ckeditorckeditor>= 0 < 4.16.0+dfsg-24.16.0+dfsg-2
ckeditorckeditor>= 0 < 4.16.0+dfsg-24.16.0+dfsg-2
ckeditorckeditor>= 0 < 4.5.7+dfsg-2ubuntu0.18.04.14.5.7+dfsg-2ubuntu0.18.04.1
ckeditorckeditor>= 0 < 4.12.1+dfsg-1ubuntu0.14.12.1+dfsg-1ubuntu0.1
ckeditorckeditor>= 0 < 4.5.7+dfsg-2ubuntu0.16.04.1~esm14.5.7+dfsg-2ubuntu0.16.04.1~esm1
ckeditorckeditor>= 4.14.0 < 4.16.14.16.1
ckeditorckeditor4>= 4.14.0 < 4.16.14.16.1
debianckeditor< ckeditor 4.16.0+dfsg-2 (bookworm)ckeditor 4.16.0+dfsg-2 (bookworm)
debianckeditor3< ckeditor 4.16.0+dfsg-2 (bookworm)ckeditor 4.16.0+dfsg-2 (bookworm)
debiandebian_linux
drupalcore>= 7.0.0 < 7.807.80
drupalcore>= 8.0.0 < 8.9.168.9.16
drupalcore>= 9.0.0 < 9.0.149.0.14
drupalcore>= 9.1.0 < 9.1.99.1.9
drupaldrupal>= 7.0.0 < 7.807.80
drupaldrupal>= 8.0.0 < 8.9.168.9.16
drupaldrupal>= 8.9.0 < 8.9.168.9.16
drupaldrupal>= 9.0.0 < 9.0.149.0.14
drupaldrupal>= 9.0.0 < 9.0.149.0.14
drupaldrupal>= 9.1.0 < 9.1.99.1.9
drupaldrupal>= 9.1.0 < 9.1.99.1.9
drupaldrupal_core
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

commandbody[und][0][value]=<p><!--[if gte IE 4]><!--></p><script>alert(document.domain)</script>
other--!>
other<script>alert(document.domain)</script>
  • Detect exploitation attempts by looking for HTTP POST requests to /node/add/page containing the XSS payload pattern with mishandled HTML comment syntax (--!>) in the body field.
  • Flag responses from Drupal nodes containing both the XSS payload marker and alert(document.domain), indicating successful stored/reflected XSS injection via CKEditor comment mishandling.
  • Shodan query for exposed CKEditor instances: cpe:"cpe:2.3:a:ckeditor:ckeditor" can be used to identify potentially vulnerable targets.
  • The vulnerability is only exploitable on sites with CKEditor enabled; triage alerts by confirming CKEditor is active on the target Drupal instance.
  • Monitor for authenticated POST requests to /node/add/page with body format set to full_html, which is the attack vector for this CVE in Drupal 7.
  • ·Exploitation requires an authenticated user session; the Nuclei template performs a login step first and chains the session cookie through subsequent requests.
  • ·The exploit requires the victim to view the malicious content after it is injected; this is a stored/reflected XSS requiring user interaction.
  • ·Drupal 8 versions prior to 8.9.x are end-of-life and do not receive security coverage; detection scope should include these legacy versions as they remain vulnerable.
  • ·Drupal 7 users of CKEditor via the WYSIWYG module (not shipped with Drupal core) must update their third-party code separately, as Drupal Security Team policy does not alert for third-party library issues unless shipped with core.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.