CVE-2021-41164

CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

References

Affected packages

Git

github.com/ckeditor/ckeditor-releases

Affected ranges

Type: GIT
Repo: https://github.com/ckeditor/ckeditor-releases
Events: Introduced

870a561110a23435d78eda377400dca7f64d3bd3

Fixed

5a0d3c84b4bc9eb7d1ecd8dfa9b660eb691553c2

Affected versions

4.*

4.0.1/standard

4.0/standard

4.1.1/standard

4.1.2/standard

4.1.3/standard

4.1/standard

4.1rc/standard

4.2.1/standard

4.2.2/standard

4.2.3/standard

4.2/standard

4.3.0/standard

4.3.1/standard

4.3.2/standard

standard/4.*

standard/4.10.0

standard/4.10.1

standard/4.11.0

standard/4.11.1

standard/4.11.2

standard/4.11.3

standard/4.11.4

standard/4.12.0

standard/4.12.1

standard/4.13.0

standard/4.13.1

standard/4.14.0

standard/4.14.1

standard/4.15.0

standard/4.15.1

standard/4.16.0

standard/4.16.1

standard/4.16.2

standard/4.3.3

standard/4.3.4

standard/4.3.5

standard/4.4.0

standard/4.4.1

standard/4.4.2

standard/4.4.3

standard/4.4.4

standard/4.4.5

standard/4.4.6

standard/4.4.7

standard/4.4.8

standard/4.5.0

standard/4.5.1

standard/4.5.10

standard/4.5.11

standard/4.5.2

standard/4.5.3

standard/4.5.4

standard/4.5.5

standard/4.5.6

standard/4.5.7

standard/4.5.8

standard/4.5.9

standard/4.6.0

standard/4.6.1

standard/4.6.2

standard/4.7.0

standard/4.7.1

standard/4.7.2

standard/4.7.3

standard/4.8.0

standard/4.9.0

standard/4.9.1

standard/4.9.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41164.json"

github.com/ckeditor/ckeditor4

Affected ranges

Type: GIT
Repo: https://github.com/ckeditor/ckeditor4
Events: Introduced

769d96134bcf29f5d3d870e25797ce9b9dc8289e

Fixed

cab78d432999c8bcd8213a2e0786026a5f9a44dc

Affected versions

4.*

4.0

4.0.0

4.0.1

4.0.1.1

4.0.2

4.0.3

4.1

4.1.0

4.1.1

4.1.2

4.1.3

4.10.0

4.10.1

4.11.0

4.11.1

4.11.2

4.11.3

4.11.4

4.12.0

4.12.1

4.13.0

4.13.1

4.14.0

4.14.1

4.15.0

4.15.1

4.16.0

4.16.1

4.16.2

4.1rc

4.2

4.2.0

4.2.1

4.2.2

4.2.3

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3beta

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.5.0

4.5.0-beta

4.5.1

4.5.10

4.5.11

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

4.5.9

4.6.0

4.6.1

4.6.2

4.7.0

4.7.1

4.7.2

4.7.3

4.8.0

4.9.0

4.9.1

4.9.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41164.json"

github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

5c6f14f762c9aef87cd2731818386f202ee8463c

Fixed

0398571aae84442c8fad6e9ce307aefb8c293b20

Introduced

943ecef3c0bc9822338252a7df6419aeb9253c9d

Fixed

ae75f828134e57bb1aed2ffb2635e6b28fc0e040

Introduced

a412ca41cfc0d954fe3cb2dd982dc6ca049b1c70

Fixed

e187f925ed6aa9d9d4b3121904c077aa54ba108a

Affected versions

8.*

8.9.0

8.9.1

8.9.10

8.9.11

8.9.12

8.9.13

8.9.14

8.9.15

8.9.16

8.9.17

8.9.18

8.9.19

8.9.2

8.9.3

8.9.4

8.9.5

8.9.6

8.9.8

8.9.9

9.*

9.1.0

9.1.1

9.1.10

9.1.11

9.1.12

9.1.13

9.1.2

9.1.3

9.1.4

9.1.5

9.1.6

9.1.7

9.1.8

9.1.9

9.2.0

9.2.1

9.2.2

9.2.3

9.2.4

9.2.5

9.2.6

9.2.7

9.2.8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41164.json"