GHSA-7h26-63m7-qhf2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7h26-63m7-qhf2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-7h26-63m7-qhf2/GHSA-7h26-63m7-qhf2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7h26-63m7-qhf2
- Aliases
- Published
- 2021-11-17T21:58:25Z
- Modified
- 2024-02-16T08:23:55.949408Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L CVSS Calculator
- Summary
- HTML comments vulnerability allowing to execute JavaScript code
- Details
-
Affected packages
The vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4.
Impact
A potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0.
Patches
The problem has been recognized and patched. The fix will be available in version 4.17.0.
For more information
Email us at security@cksource.com if you have any questions or comments about this advisory.
Acknowledgements
The CKEditor 4 team would like to thank William Bowling (wbowling) for recognizing and reporting this vulnerability.
- Database specific
{ "nvd_published_at": "2021-11-17T20:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-11-17T19:57:11Z" }- References
-
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2
- https://nvd.nist.gov/vuln/detail/CVE-2021-41165
- https://github.com/ckeditor/ckeditor4
- https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417
- https://www.drupal.org/sa-core-2021-011
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Affected packages
npm / ckeditor4
Package
- Name
- ckeditor4
- View open source insights on deps.dev
- Purl
- pkg:npm/ckeditor4
Packagist / ckeditor/ckeditor
Package
- Name
- ckeditor/ckeditor
- Purl
- pkg:composer/ckeditor/ckeditor
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.17.0
Affected versions
4.*
4.3.3
4.3.4
4.3.5
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.4.8
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
4.5.10
4.5.11
4.6.0
4.6.1
4.6.2
4.7.0
4.7.1
4.7.2
4.7.3
4.8.0
4.9.0
4.9.1
4.9.2
4.10.0
4.10.1
4.11.0
4.11.1
4.11.2
4.11.3
4.11.4
4.12.0
4.12.1
4.13.0
4.13.1
4.14.0
4.14.1
4.15.0
4.15.1
4.16.0
4.16.1
4.16.2