// For flags

CVE-2021-41164

Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML

Severity Score

5.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

CKEditor4 es un editor HTML WYSIWYG de código abierto.&#xa0;En las versiones afectadas, se detectó una vulnerabilidad en el módulo Advanced Content Filter (ACF) y puede afectar a todos los plugins utilizados por CKEditor 4. La vulnerabilidad permitía inyectar HTML mal formado sin pasar por el saneamiento del contenido, lo que podría resultar en una la ejecución de código JavaScript.&#xa0;Afecta a todos los usuarios que utilizan CKEditor 4 en versiones anteriores a 4.17.0.&#xa0;El problema ha sido reconocido y parcheado.&#xa0;La corrección estará disponible en la versión 4.17.0

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-09-15 CVE Reserved
  • 2021-11-17 CVE Published
  • 2023-11-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ckeditor
Search vendor "Ckeditor"
Ckeditor
Search vendor "Ckeditor" for product "Ckeditor"
>= 4.0 < 4.17.0
Search vendor "Ckeditor" for product "Ckeditor" and version " >= 4.0 < 4.17.0"
-
Affected
Drupal
Search vendor "Drupal"
Drupal
Search vendor "Drupal" for product "Drupal"
>= 8.9.0 < 8.9.20
Search vendor "Drupal" for product "Drupal" and version " >= 8.9.0 < 8.9.20"
-
Affected
Drupal
Search vendor "Drupal"
Drupal
Search vendor "Drupal" for product "Drupal"
>= 9.1.0 < 9.1.14
Search vendor "Drupal" for product "Drupal" and version " >= 9.1.0 < 9.1.14"
-
Affected
Drupal
Search vendor "Drupal"
Drupal
Search vendor "Drupal" for product "Drupal"
>= 9.2.0 < 9.2.9
Search vendor "Drupal" for product "Drupal" and version " >= 9.2.0 < 9.2.9"
-
Affected
Oracle
Search vendor "Oracle"
Banking Apis
Search vendor "Oracle" for product "Banking Apis"
>= 18.1 <= 18.3
Search vendor "Oracle" for product "Banking Apis" and version " >= 18.1 <= 18.3"
-
Affected
Oracle
Search vendor "Oracle"
Banking Apis
Search vendor "Oracle" for product "Banking Apis"
19.1
Search vendor "Oracle" for product "Banking Apis" and version "19.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Apis
Search vendor "Oracle" for product "Banking Apis"
19.2
Search vendor "Oracle" for product "Banking Apis" and version "19.2"
-
Affected
Oracle
Search vendor "Oracle"
Banking Apis
Search vendor "Oracle" for product "Banking Apis"
20.1
Search vendor "Oracle" for product "Banking Apis" and version "20.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Apis
Search vendor "Oracle" for product "Banking Apis"
21.1
Search vendor "Oracle" for product "Banking Apis" and version "21.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Digital Experience
Search vendor "Oracle" for product "Banking Digital Experience"
>= 18.1 <= 18.3
Search vendor "Oracle" for product "Banking Digital Experience" and version " >= 18.1 <= 18.3"
-
Affected
Oracle
Search vendor "Oracle"
Banking Digital Experience
Search vendor "Oracle" for product "Banking Digital Experience"
19.1
Search vendor "Oracle" for product "Banking Digital Experience" and version "19.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Digital Experience
Search vendor "Oracle" for product "Banking Digital Experience"
19.2
Search vendor "Oracle" for product "Banking Digital Experience" and version "19.2"
-
Affected
Oracle
Search vendor "Oracle"
Banking Digital Experience
Search vendor "Oracle" for product "Banking Digital Experience"
20.1
Search vendor "Oracle" for product "Banking Digital Experience" and version "20.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Digital Experience
Search vendor "Oracle" for product "Banking Digital Experience"
21.1
Search vendor "Oracle" for product "Banking Digital Experience" and version "21.1"
-
Affected
Oracle
Search vendor "Oracle"
Agile Plm
Search vendor "Oracle" for product "Agile Plm"
9.3.6
Search vendor "Oracle" for product "Agile Plm" and version "9.3.6"
-
Affected
Oracle
Search vendor "Oracle"
Application Express
Search vendor "Oracle" for product "Application Express"
< 22.1
Search vendor "Oracle" for product "Application Express" and version " < 22.1"
-
Affected
Oracle
Search vendor "Oracle"
Commerce Guided Search
Search vendor "Oracle" for product "Commerce Guided Search"
11.3.2
Search vendor "Oracle" for product "Commerce Guided Search" and version "11.3.2"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.58
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"
-
Affected
Oracle
Search vendor "Oracle"
Peoplesoft Enterprise Peopletools
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"
8.59
Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59"
-
Affected
Oracle
Search vendor "Oracle"
Webcenter Portal
Search vendor "Oracle" for product "Webcenter Portal"
12.2.1.3.0
Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Webcenter Portal
Search vendor "Oracle" for product "Webcenter Portal"
12.2.1.4.0
Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.4.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
36
Search vendor "Fedoraproject" for product "Fedora" and version "36"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
37
Search vendor "Fedoraproject" for product "Fedora" and version "37"
-
Affected