CVE-2021-26271
https://notcve.org/view.php?id=CVE-2021-26271
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin). Era posible ejecutar un ataque de tipo ReDoS dentro de CKEditor 4 versiones anteriores a 4.16, al persuadir a una víctima para pegar un texto diseñado en la entrada Styles de cuadros de diálogo específicos (en la pestaña Advanced para el plugin Dialogs) • https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuoct2021.html • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVE-2020-9281
https://notcve.org/view.php?id=CVE-2020-9281
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax). Una vulnerabilidad de tipo cross-site scripting (XSS) en el HTML Data Processor for CKEditor versiones 4.0 anteriores a 4.14, permite a atacantes remotos inyectar script web arbitrario por medio de un comentario "protected" diseñado (con la sintaxis cke_protected). • https://github.com/ckeditor/ckeditor4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4 https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-17960
https://notcve.org/view.php?id=CVE-2018-17960
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. CKEditor en versiones 4.x anteriores a la 4.11.0 permite Cross-Site Scripting (XSS) ayudado por un usuario relacionado con una operación de pegado en modo origen. • http://www.securityfocus.com/bid/109205 https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released https://ckeditor.com/cke4/release/CKEditor-4.11.0 https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-9349 – CKEditor for WordPress <= 4.5.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-9349
The ckeditor-for-wordpress plugin before 4.5.3.1 for WordPress has reflected XSS in the "built-in (old)" file browser. El plugin ckeditor-for-wordpress antes de 4.5.3.1 para WordPress ha reflejado XSS en el navegador de archivos "built-in (old)". The CKEditor plugin before 4.5.3.1 for WordPress has reflected XSS in the built-in (old) file browser. • https://wordpress.org/plugins/ckeditor-for-wordpress/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-5191
https://notcve.org/view.php?id=CVE-2014-5191
Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en el plugin Preview anterior a 4.4.3 en CKEditor permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://ckeditor.com/node/136981 http://secunia.com/advisories/60036 http://www.securityfocus.com/bid/69161 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •