ckeditor4 vulnerable to cross-site scripting
Published: June 21, 2021
SECURITY IDENTIFIERS
- CVE: CVE-2021-33829 (NVD)
- GHSA: GHSA-rgx6-rjj4-c388
- Vendor Advisory: https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
GEM
SEVERITY
CVSS v3.x: 6.1 (Medium)
UNAFFECTED VERSIONS
< 5.1.1
PATCHED VERSIONS
>= 5.1.2
DESCRIPTION
A cross-site scripting (XSS) vulnerability in the HTML Data Processor
in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject
executable JavaScript code through a crafted comment because --!> is mishandled.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2021-33829
- https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
- https://www.npmjs.com/package/ckeditor4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
- https://www.drupal.org/sa-core-2021-003
- https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2021-33829.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2021-33829.yaml
- https://github.com/advisories/GHSA-rgx6-rjj4-c388