CVE-2021-41164
Published: 17 November 2021
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
Notes
Author | Note |
---|---|
sbeattie | embedded copies of ckeditor are in ldap-account-manager, rt4, and rt5 |
litios | no specific patch was found |
Priority
CVSS 3 base score: 5.4
Status
Package | Release | Status |
---|---|---|
ckeditor Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
hirsute |
Ignored
(reached end-of-life)
|
|
impish |
Ignored
(reached end-of-life)
|
|
jammy |
Needs triage
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.17.0)
|
|
xenial |
Ignored
(out of standard support)
|
|
ckeditor3 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
hirsute |
Ignored
(reached end-of-life)
|
|
impish |
Ignored
(reached end-of-life)
|
|
jammy |
Needs triage
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(out of standard support)
|
|
ldap-account-manager Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
hirsute |
Ignored
(reached end-of-life)
|
|
impish |
Ignored
(reached end-of-life)
|
|
jammy |
Needs triage
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(out of standard support)
|
|
request-tracker4 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
hirsute |
Ignored
(reached end-of-life)
|
|
impish |
Ignored
(reached end-of-life)
|
|
jammy |
Needs triage
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(out of standard support)
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41164
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj (v4.17.0)
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj
- https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417
- https://www.drupal.org/sa-core-2021-011
- NVD
- Launchpad
- Debian