CVE-2021-33829
published 2021-06-09CVE-2021-33829: A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject…
PriorityP339medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
3.19%
86.5th percentile
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ckeditor | ckeditor | >= 0 < 4.16.0+dfsg-2 | 4.16.0+dfsg-2 |
| ckeditor | ckeditor | >= 0 < 4.16.0+dfsg-2 | 4.16.0+dfsg-2 |
| ckeditor | ckeditor | >= 0 < 4.5.7+dfsg-2ubuntu0.18.04.1 | 4.5.7+dfsg-2ubuntu0.18.04.1 |
| ckeditor | ckeditor | >= 0 < 4.12.1+dfsg-1ubuntu0.1 | 4.12.1+dfsg-1ubuntu0.1 |
| ckeditor | ckeditor | >= 0 < 4.5.7+dfsg-2ubuntu0.16.04.1~esm1 | 4.5.7+dfsg-2ubuntu0.16.04.1~esm1 |
| ckeditor | ckeditor | >= 4.14.0 < 4.16.1 | 4.16.1 |
| ckeditor | ckeditor4 | >= 4.14.0 < 4.16.1 | 4.16.1 |
| debian | ckeditor | < ckeditor 4.16.0+dfsg-2 (bookworm) | ckeditor 4.16.0+dfsg-2 (bookworm) |
| debian | ckeditor3 | < ckeditor 4.16.0+dfsg-2 (bookworm) | ckeditor 4.16.0+dfsg-2 (bookworm) |
| debian | debian_linux | — | — |
| drupal | core | >= 7.0.0 < 7.80 | 7.80 |
| drupal | core | >= 8.0.0 < 8.9.16 | 8.9.16 |
| drupal | core | >= 9.0.0 < 9.0.14 | 9.0.14 |
| drupal | core | >= 9.1.0 < 9.1.9 | 9.1.9 |
| drupal | drupal | >= 7.0.0 < 7.80 | 7.80 |
| drupal | drupal | >= 8.0.0 < 8.9.16 | 8.9.16 |
| drupal | drupal | >= 8.9.0 < 8.9.16 | 8.9.16 |
| drupal | drupal | >= 9.0.0 < 9.0.14 | 9.0.14 |
| drupal | drupal | >= 9.0.0 < 9.0.14 | 9.0.14 |
| drupal | drupal | >= 9.1.0 < 9.1.9 | 9.1.9 |
| drupal | drupal | >= 9.1.0 < 9.1.9 | 9.1.9 |
| drupal | drupal_core | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandbody[und][0][value]=<p><!--[if gte IE 4]><!--></p><script>alert(document.domain)</script>
other<script>alert(document.domain)</script>
- →Detect exploitation attempts by looking for HTTP POST requests to /node/add/page containing the XSS payload pattern with mishandled HTML comment syntax (--!>) in the body field.
- →Flag responses from Drupal nodes containing both the XSS payload marker and alert(document.domain), indicating successful stored/reflected XSS injection via CKEditor comment mishandling.
- →Shodan query for exposed CKEditor instances: cpe:"cpe:2.3:a:ckeditor:ckeditor" can be used to identify potentially vulnerable targets.
- →The vulnerability is only exploitable on sites with CKEditor enabled; triage alerts by confirming CKEditor is active on the target Drupal instance. ↗
- →Monitor for authenticated POST requests to /node/add/page with body format set to full_html, which is the attack vector for this CVE in Drupal 7.
- ·Exploitation requires an authenticated user session; the Nuclei template performs a login step first and chains the session cookie through subsequent requests.
- ·The exploit requires the victim to view the malicious content after it is injected; this is a stored/reflected XSS requiring user interaction.
- ·Drupal 8 versions prior to 8.9.x are end-of-life and do not receive security coverage; detection scope should include these legacy versions as they remain vulnerable. ↗
- ·Drupal 7 users of CKEditor via the WYSIWYG module (not shipped with Drupal core) must update their third-party code separately, as Drupal Security Team policy does not alert for third-party library issues unless shipped with core. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ckeditor vulnerabilities
osv·2022-03-23·CVSS 6.1
CVE-2018-9861 [MEDIUM] ckeditor vulnerabilities
ckeditor vulnerabilities
USN-5340-1 fixed several vulnerabilities in CKEditor.
This update provides the fixes for CVE-2018-9861, CVE-2020-9281,
CVE-2021-32809, CVE-2021-33829 and CVE-2021-37695 for Ubuntu 16.04 ESM.
Original advisory details:
Kyaw Min Thein discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue
to execute arbitrary code. This issue only affects
Ubuntu 18.04 LTS. (CVE-2018-9861)
Micha Bentkowski discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue to
execute arbitrary code. This issue only affects
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-9281)
Anton Subbotin discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue to
ex
OSV
ckeditor vulnerabilities
osv·2022-03-22·CVSS 6.1
CVE-2018-9861 [MEDIUM] ckeditor vulnerabilities
ckeditor vulnerabilities
Kyaw Min Thein discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue
to execute arbitrary code. This issue only affects
Ubuntu 18.04 LTS. (CVE-2018-9861)
Micha Bentkowski discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue to
execute arbitrary code. This issue only affects
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-9281)
Anton Subbotin discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue to
execute arbitrary code. This issue only affects
Ubuntu 21.10. (CVE-2021-32808)
Anton Subbotin discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue to
inject arbitrary code
GHSA
ckeditor4 vulnerable to cross-site scripting
ghsa·2021-06-21
CVE-2021-33829 [MEDIUM] CWE-79 ckeditor4 vulnerable to cross-site scripting
ckeditor4 vulnerable to cross-site scripting
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because `--!>` is mishandled.
OSV
ckeditor4 vulnerable to cross-site scripting
osv·2021-06-21
CVE-2021-33829 [MEDIUM] ckeditor4 vulnerable to cross-site scripting
ckeditor4 vulnerable to cross-site scripting
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because `--!>` is mishandled.
OSV
CVE-2021-33829: A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4
osv·2021-06-09·CVSS 6.1
CVE-2021-33829 [MEDIUM] CVE-2021-33829: A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
OSV
CVE-2021-33829: **Update: 2021-06-11: Added CVE-2021-33829 identifier**
Drupal core uses the third-party CKEditor library
osv·2021-05-26·CVSS 6.1
CVE-2021-33829 [MEDIUM] CVE-2021-33829: **Update: 2021-06-11: Added CVE-2021-33829 identifier**
Drupal core uses the third-party CKEditor library
**Update: 2021-06-11: Added CVE-2021-33829 identifier**
Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix.
Update: 2021-06-11: More details are available on [CKEditor's blog](https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser).
Users of the CKEditor library via means other than Drupal core should update their 3rd party code (e.g. the WYSIWYG module for Drupal 7). The Drupal Security Team policy is not to alert for issues affecting 3rd party libraries unless those are shipped with Drupal core. See [DRUPAL-SA-PSA-2016-004 for more details](https://www.drupal.org/psa-2016-004).
This issue is mitigated by the
Ubuntu
CKEditor vulnerabilities
vendor_ubuntu·2022-03-23·CVSS 6.1
CVE-2021-32809 [MEDIUM] CKEditor vulnerabilities
Title: CKEditor vulnerabilities
Summary: Several security issues were fixed in CKEditor.
USN-5340-1 fixed several vulnerabilities in CKEditor.
This update provides the fixes for CVE-2018-9861, CVE-2020-9281,
CVE-2021-32809, CVE-2021-33829 and CVE-2021-37695 for Ubuntu 16.04 ESM.
Original advisory details:
Kyaw Min Thein discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue
to execute arbitrary code. This issue only affects
Ubuntu 18.04 LTS. (CVE-2018-9861)
Micha Bentkowski discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue to
execute arbitrary code. This issue only affects
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-9281)
Anton Subbotin discovered that CKEditor incorrectly handle
Ubuntu
CKEditor vulnerabilities
vendor_ubuntu·2022-03-22·CVSS 6.1
CVE-2020-9281 [MEDIUM] CKEditor vulnerabilities
Title: CKEditor vulnerabilities
Summary: Several security issues were fixed in CKEditor.
Kyaw Min Thein discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue
to execute arbitrary code. This issue only affects
Ubuntu 18.04 LTS. (CVE-2018-9861)
Micha Bentkowski discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue to
execute arbitrary code. This issue only affects
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-9281)
Anton Subbotin discovered that CKEditor incorrectly handled
certain inputs. An attacker could possibly use this issue to
execute arbitrary code. This issue only affects
Ubuntu 21.10. (CVE-2021-32808)
Anton Subbotin discovered that CKEditor incorrectly handled
certain inputs. A
Drupal
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003
vendor_drupal·2021-05-26·CVSS 6.1
CVE-2021-33829 [MEDIUM] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003
Title: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003
Vulnerability Type: Cross Site Scripting
Description: Update: 2021-06-11: Added CVE-2021-33829 identifier Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix. Update: 2021-06-11: More details are available on CKEditor's blog . Users of the CKEditor library via means other than Drupal core should update their 3rd party code (e.g. the WYSIWYG module for Drupal 7). The Drupal Security Team policy is not to alert for issues affecting 3rd party libraries unless those are shipped with Drupal core. See DRUPAL-SA-PSA-2016-004 for more details . This issue is mitigated by the fact that it only affect
Debian
CVE-2021-33829: ckeditor - A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEdito...
vendor_debian·2021·CVSS 6.1
CVE-2021-33829 [MEDIUM] CVE-2021-33829: ckeditor - A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEdito...
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
Scope: local
bookworm: resolved (fixed in 4.16.0+dfsg-2)
bullseye: resolved (fixed in 4.16.0+dfsg-2)
No detection rules found.
Nuclei
Drupal 7 CKEditor XSS
nuclei·CVSS 6.1
CVE-2021-33829 [MEDIUM] Drupal 7 CKEditor XSS
Drupal 7 CKEditor XSS
CKEditor 4.14.0 through 4.16.x before 4.16.1 contains a reflected cross-site scripting caused by mishandling in comments, letting remote attackers inject executable JavaScript code, exploit requires victim to view malicious content.
Template:
id: CVE-2021-33829
info:
name: Drupal 7 CKEditor XSS
author: 0x_Akoko
severity: medium
description: |
CKEditor 4.14.0 through 4.16.x before 4.16.1 contains a reflected cross-site scripting caused by mishandling in comments, letting remote attackers inject executable JavaScript code, exploit requires victim to view malicious content.
impact: |
Attackers can execute arbitrary JavaScript in the context of the victim's browser, leading to session hijacking or malicious actions.
remediation: |
Update to version 4.16.1 or later.
re
No writeups or analysis indexed.
https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parserhttps://lists.debian.org/debian-lts-announce/2021/11/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/https://www.drupal.org/sa-core-2021-003https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parserhttps://lists.debian.org/debian-lts-announce/2021/11/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/https://www.drupal.org/sa-core-2021-003
2021-06-09
Published