CVE-2021-32809
Arbitrary HTML injection vulnerability in ckeditor
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
ckeditor es un editor HTML WYSIWYG de código abierto con soporte de contenido enriquecido. Se ha detectado una potencial vulnerabilidad en el paquete CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard). La vulnerabilidad permitía abusar de la funcionalidad paste usando HTML malformado, lo que podía resultar en la inyección de HTML arbitrario en el editor. Afecta a todos los usuarios que usen los plugins de CKEditor 4 mencionados anteriormente en las versiones posteriores a 4.5.2 incluyéndola. El problema ha sido reconocido y parcheado. La corrección estará disponible en la versión 4.16.2
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-12 CVE Reserved
- 2021-08-12 CVE Published
- 2023-11-08 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.oracle.com/security-alerts/cpujan2022.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpuoct2021.html | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Ckeditor Search vendor "Ckeditor" | Ckeditor Search vendor "Ckeditor" for product "Ckeditor" | >= 4.5.2 < 4.16.2 Search vendor "Ckeditor" for product "Ckeditor" and version " >= 4.5.2 < 4.16.2" | node.js |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Application Express Search vendor "Oracle" for product "Application Express" | < 21.1.4 Search vendor "Oracle" for product "Application Express" and version " < 21.1.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Party Management Search vendor "Oracle" for product "Banking Party Management" | 2.7.0 Search vendor "Oracle" for product "Banking Party Management" and version "2.7.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Commerce Guided Search Search vendor "Oracle" for product "Commerce Guided Search" | 11.3.2 Search vendor "Oracle" for product "Commerce Guided Search" and version "11.3.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Commerce Merchandising Search vendor "Oracle" for product "Commerce Merchandising" | 11.3.2 Search vendor "Oracle" for product "Commerce Merchandising" and version "11.3.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Documaker Search vendor "Oracle" for product "Documaker" | 12.6.3 Search vendor "Oracle" for product "Documaker" and version "12.6.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Documaker Search vendor "Oracle" for product "Documaker" | 12.6.4 Search vendor "Oracle" for product "Documaker" and version "12.6.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" | >= 8.0.7 <= 8.1.1 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.0.7 <= 8.1.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Jd Edwards Enterpriseone Tools Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" | < 9.2.6.0 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " < 9.2.6.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" | 8.57 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" | 8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" | 8.59 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59" | - |
Affected
|