CVE-2021-41164

Published: 17 November 2021

CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

Notes

Author	Note
sbeattie	embedded copies of ckeditor are in ldap-account-manager, rt4, and rt5
litios	no specific patch was found

Priority

CVSS 3 base score: 5.4

Status

Package	Release	Status
ckeditor Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	trusty	Does not exist
	upstream	Released (4.17.0)
	xenial	Ignored (out of standard support)
ckeditor3 Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Ignored (out of standard support)
ldap-account-manager Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Ignored (out of standard support)
request-tracker4 Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Ignored (out of standard support)

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999909

CVE-2021-41164

Notes

Medium

Status

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading