CVE-2021-41165

CWE-79Cross-site Scripting (XSS)10 documents7 sources
Severity
5.4MEDIUM
EPSS
0.1%
top 69.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
10
Ckeditor Ckeditor4Ckeditor CkeditorDrupal Drupal+7 more
Timeline
PublishedNov 17
Latest updateOct 15

Description

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:LExploitability: 2.3 | Impact: 5.3

Affected Packages13 packages

npmckeditor4< 4.17.0
CVEListV5ckeditor/ckeditor4< 4.17.0
NVDckeditor/ckeditor< 4.17.0
Packagistckeditor/ckeditor< 4.17.0
Debianckeditor< 4.19.0+dfsg-1

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
HTML comments vulnerability allowing to execute JavaScript code2021-11-17
OSV
HTML comments vulnerability allowing to execute JavaScript code2021-11-17
CVEList
HTML comments vulnerability allowing to execute JavaScript code2021-11-17
OSV
CVE-2021-41165: CKEditor4 is an open source WYSIWYG HTML editor2021-11-17

📋Vendor Advisories

5
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: UI (CKEditor) — CVE-2021-411652023-10-15
Oracle
Oracle Oracle Database Server Risk Matrix: Oracle Application Express (CKEditor) — CVE-2021-411652022-04-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Framework (CKEditor) — CVE-2021-411652022-01-15
Drupal
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-0112021-11-17
Debian
CVE-2021-41165: ckeditor - CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerabi...2021