CVE-2021-41164
Published: 17 November 2021
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
Notes
| Author | Note |
|---|---|
| sbeattie | embedded copies of ckeditor are in ldap-account-manager, rt4, and rt5 |
| litios | no specific patch was found |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ckeditor3 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| jammy |
Needs triage
|
|
| lunar |
Needs triage
|
|
| mantic |
Needs triage
|
|
|
ldap-account-manager Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| xenial |
Needs triage
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| jammy |
Needs triage
|
|
| lunar |
Needs triage
|
|
| mantic |
Needs triage
|
|
|
request-tracker4 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| impish |
Ignored
(end of life)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
| hirsute |
Ignored
(end of life)
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| jammy |
Needs triage
|
|
| lunar |
Needs triage
|
|
| mantic |
Needs triage
|
|
|
ckeditor Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.17.0)
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| xenial |
Needs triage
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| jammy |
Needs triage
|
|
| lunar |
Not vulnerable
(4.19.1+dfsg-1)
|
|
| mantic |
Not vulnerable
(4.19.1+dfsg-1)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.4 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41164
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj (v4.17.0)
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj
- https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417
- https://www.drupal.org/sa-core-2021-011
- NVD
- Launchpad
- Debian