CVSS: 7.3EPSS: 0%CPEs: 18EXPL: 0CVE-2021-37695 – Execution of JavaScript code using malformed HTML in ckeditor
https://notcve.org/view.php?id=CVE-2021-37695
12 Aug 2021 — ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 15EXPL: 0CVE-2021-32809 – Arbitrary HTML injection vulnerability in ckeditor
https://notcve.org/view.php?id=CVE-2021-32809
12 Aug 2021 — ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.6EPSS: 0%CPEs: 20EXPL: 0CVE-2021-32808 – Cross-site scripting in ckeditor via abuse of undo functionality
https://notcve.org/view.php?id=CVE-2021-32808
12 Aug 2021 — ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-2460
https://notcve.org/view.php?id=CVE-2021-2460
20 Jul 2021 — Vulnerability in the Oracle Application Express Data Reporter component of Oracle Database Server. The supported version that is affected is Prior to 21.1.0.00.04. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Data Reporter. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Data Reporter, atta... • https://www.oracle.com/security-alerts/cpujul2021.html •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-32723 – Regular Expression Denial of Service (ReDoS) in Prism
https://notcve.org/view.php?id=CVE-2021-32723
28 Jun 2021 — Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. • https://github.com/PrismJS/prism/pull/2688 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 16EXPL: 0CVE-2021-26272
https://notcve.org/view.php?id=CVE-2021-26272
26 Jan 2021 — It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin). Era posible ejecutar un ataque de tipo ReDoS dentro de CKEditor 4 versiones anteriores a 4.16, al persuadir a una víctima para pegar un texto similar a una URL en el editor y luego presionar Enter o Space (en el plugin Autolink) • https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.5EPSS: 0%CPEs: 11EXPL: 0CVE-2021-26271
https://notcve.org/view.php?id=CVE-2021-26271
26 Jan 2021 — It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin). Era posible ejecutar un ataque de tipo ReDoS dentro de CKEditor 4 versiones anteriores a 4.16, al persuadir a una víctima para pegar un texto diseñado en la entrada Styles de cuadros de diálogo específicos (en la pestaña Advanced para el plugin Dialogs) • https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.1EPSS: 0%CPEs: 23EXPL: 0CVE-2020-27193
https://notcve.org/view.php?id=CVE-2020-27193
12 Nov 2020 — A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs. Una vulnerabilidad de tipo cross-site scripting (XSS) en el plugin Color Dialog para CKEditor versión 4.15.0, permite a atacantes remotos ejecutar script web arbitrario después de persuadir a un usuario para que copie y pegue código HTML diseñado en una de las entradas del editor • https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 7CVE-2020-7760 – Regular Expression Denial of Service (ReDoS)
https://notcve.org/view.php?id=CVE-2020-7760
30 Oct 2020 — This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)* Esto afecta al paquete codemirror versiones anteriores a 5.58.2; el paquete org.apache.marmotta.webjars:codemirror anterior a 5.58.2. ... • https://github.com/codemirror/CodeMirror/commit/55d0333907117c9231ffdf555ae8824705993bbb • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14898
https://notcve.org/view.php?id=CVE-2020-14898
21 Oct 2020 — Vulnerability in the Oracle Application Express Packaged Apps component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Oracle Application Express Packaged Apps. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express Packaged Apps, attacks may ... • https://www.oracle.com/security-alerts/cpuoct2020.html •