Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-33829 — Cross-site Scripting in Ckeditor

CWE-79 — Cross-site Scripting12 documents8 sources

Severity

6.1MEDIUMNVD

EPSS

49.7%

top 2.19%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Ckeditor Drupal Drupal Core +3 more

Timeline

PublishedJun 9

Latest updateMar 23

Description

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages7 packages

▶NVDckeditor/ckeditor4.14.0 — 4.16.1

▶npmckeditor/ckeditor44.14.0 — 4.16.1

▶Debianckeditor/ckeditor< 4.16.0+dfsg-2+1

▶Ubuntuckeditor/ckeditor< 4.5.7+dfsg-2ubuntu0.16.04.1~esm1

▶Packagistdrupal/core7.0.0 — 7.80+3

Also affects: Debian Linux 9.0, Fedora 33, 34, 35

Patches

Patch: ckeditor.com ↗Patch: www.drupal.org ↗Patch: ckeditor.com ↗

🔴Vulnerability Details

OSV

ckeditor vulnerabilities↗2022-03-23

▶

GHSA

ckeditor4 vulnerable to cross-site scripting↗2021-06-21

▶

OSV

ckeditor4 vulnerable to cross-site scripting↗2021-06-21

▶

CVEList

CVE-2021-33829: A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4↗2021-06-09

▶

OSV

CVE-2021-33829: A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4↗2021-06-09

▶

💥Exploits & PoCs

Nuclei

Drupal 7 CKEditor XSS

▶

📋Vendor Advisories

Ubuntu

CKEditor vulnerabilities↗2022-03-23

▶

Ubuntu

CKEditor vulnerabilities↗2022-03-22

▶

Drupal

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003↗2021-05-26

▶

Debian

CVE-2021-33829: ckeditor - A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEdito...↗2021

▶