CVE-2021-37695

CWE-79Cross-site Scripting (XSS)14 documents7 sources
Severity
5.4MEDIUM
EPSS
0.7%
top 27.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
14
Ckeditor Ckeditor4Ckeditor CkeditorOracle Application Express+11 more
Timeline
PublishedAug 13
Latest updateApr 15

Description

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:NExploitability: 2.1 | Impact: 5.2

Affected Packages15 packages

npmckeditor4< 4.16.2
NVDckeditor/ckeditor< 4.16.2
CVEListV5ckeditor/ckeditor4< 4.16.2
Debianckeditor< 4.16.2+dfsg-1
Ubuntuckeditor< 4.5.7+dfsg-2ubuntu0.16.04.1~esm1

Also affects: Debian Linux 9.0, Fedora 33, 34, 35

Patches

Patch: github.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

7
OSV
ckeditor vulnerabilities2022-03-23
GHSA
CKEditor 4 vulnerabilities in versions <4.16.12021-08-23
OSV
CKEditor 4 vulnerabilities in versions <4.16.12021-08-23
GHSA
Fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML.2021-08-23
OSV
Fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML.2021-08-23

📋Vendor Advisories

6
Oracle
Oracle Oracle Siebel CRM Risk Matrix: Open UI (CKEditor) — CVE-2021-376952023-04-15
Ubuntu
CKEditor vulnerabilities2022-03-23
Ubuntu
CKEditor vulnerabilities2022-03-22
Oracle
Oracle Oracle Database Server Risk Matrix: Oracle Application Express (CKEditor) — CVE-2021-376952022-01-15
Oracle
Oracle Oracle Commerce Risk Matrix: Content Acquisition System (CKEditor) — CVE-2021-376952021-10-15