ADVISORIES

• CVE-2021-26272 (NVD)
• GHSA-wpvm-wqr4-p7cw
• Vendor Advisory

GEM

ckeditor

SEVERITY

CVSS v3.x: 6.5 (Medium)

PATCHED VERSIONS

• >= 5.1.2

DESCRIPTION

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2021-26272
• https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first
• https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://github.com/advisories/GHSA-wpvm-wqr4-p7cw