GHSA-6226-h7ff-ch6c

Source

https://github.com/advisories/GHSA-6226-h7ff-ch6c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6226-h7ff-ch6c/GHSA-6226-h7ff-ch6c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6226-h7ff-ch6c

Aliases

CVE-2021-32808

Published

2021-08-23T19:40:48Z

Modified

2023-11-08T04:06:00.769178Z

Severity

7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N CVSS Calculator

Summary

Widget feature vulnerability allowing to execute JavaScript code using undo functionality

Details

Affected packages

The vulnerability has been discovered in Widget plugin if used alongside Undo feature.

Impact

A potential vulnerability has been discovered in CKEditor 4 Widget package. The vulnerability allowed to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0.

Patches

The problem has been recognized and patched. The fix will be available in version 4.16.2.

For more information

Email us at security@cksource.com if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 4 team would like to thank Anton Subbotin (skavans) for recognizing and reporting this vulnerability.

Database specific

{
    "nvd_published_at": "2021-08-12T17:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-23T16:49:07Z"
}

References

Affected packages

npm / ckeditor4

Package

Name: ckeditor4; View open source insights on deps.dev
Purl: pkg:npm/ckeditor4

Affected ranges

Type: SEMVER
Events: Introduced

4.13.0

Fixed

4.16.2