← Back

CVE-2021-32809

nvd nist
Published: Aug 12, 2021Modified: Nov 21, 2024

JSON object

Loading...
5.4
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Exploitability: 2.3 / Impact: 2.7
Source: NVD

Description

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

Affected (15)

Ckeditor
1 product
Ckeditor
Fedoraproject
1 product
Fedora
Oracle
8 products
Application Express
Banking Party Management
Commerce Guided Search
Commerce Merchandising
Documaker
Financial Services Analytical Applications Infrastructure
Jd Edwards Enterpriseone Tools
Peoplesoft Enterprise Peopletools
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Ckeditor
From 4.5.2 to 4.16.2
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Fedoraproject
Fedora
Version 33
Fedora
Version 34
Fedora
Version 35
Configuration C
11 vulnerable
Vulnerable SoftwareAffected Versions
Application Express
Before 21.1.4
Banking Party Management
Version 2.7.0
Commerce Guided Search
Version 11.3.2
Commerce Merchandising
Version 11.3.2
Oracle
Documaker
Version 12.6.3
Documaker
Version 12.6.4
Financial Services Analytical Applications Infrastructure
From 8.0.7 to 8.1.1
Jd Edwards Enterpriseone Tools
Before 9.2.6.0
Oracle
Peoplesoft Enterprise Peopletools
Version 8.57
Peoplesoft Enterprise Peopletools
Version 8.58
Peoplesoft Enterprise Peopletools
Version 8.59

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (12)

Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
Source: security-advisories@github.com
Source: security-advisories@github.com
Source: security-advisories@github.com
PatchThird Party Advisory
Source: security-advisories@github.com
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory

Timeline

No history available yet.