CVE-2021-41164
Last modified
CVE-2021-41164 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. EPSS estimates a 1.26% chance of exploitation in the next 30 days.
Description
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Ckeditor | Ckeditor | >= 4.0, < 4.17.0 |
| Drupal | Drupal | >= 8.9.0, < 8.9.20 |
| Drupal | Drupal | >= 9.1.0, < 9.1.14 |
| Drupal | Drupal | >= 9.2.0, < 9.2.9 |
| Oracle | Banking Apis | >= 18.1, <= 18.3 |
| Oracle | Banking Apis | 19.1 |
| Oracle | Banking Apis | 19.2 |
| Oracle | Banking Apis | 20.1 |
| Oracle | Banking Apis | 21.1 |
| Oracle | Banking Digital Experience | >= 18.1, <= 18.3 |
| Oracle | Banking Digital Experience | 19.1 |
| Oracle | Banking Digital Experience | 19.2 |
| Oracle | Banking Digital Experience | 20.1 |
| Oracle | Banking Digital Experience | 21.1 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Application Express | < 22.1 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Oracle | Webcenter Portal | 12.2.1.4.0 |
| Fedoraproject | Fedora | 36 |
| Fedoraproject | Fedora | 37 |
References
- https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417Patch, Third Party Advisory
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprjThird Party Advisory
- https://www.drupal.org/sa-core-2021-011Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlNot Applicable
- https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417Patch, Third Party Advisory
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprjThird Party Advisory
- https://www.drupal.org/sa-core-2021-011Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlNot Applicable
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-41164?
How severe is CVE-2021-41164?
How do I fix CVE-2021-41164?
Are you affected by CVE-2021-41164?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST