RubySec

Providing security resources for the Ruby community

CVE-2021-33829 (ckeditor): ckeditor4 vulnerable to cross-site scripting

ADVISORIES

GEM

ckeditor

SEVERITY

CVSS v3.x: 6.1 (Medium)

UNAFFECTED VERSIONS

  • < 5.1.1

PATCHED VERSIONS

  • >= 5.1.2

DESCRIPTION

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!&gt; is mishandled.

RELATED