CVE-2021-37695

HIGH7.3EPSS 0.74%

Fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML.

Published: 8/23/2021Modified: 3/13/2026
Also known as:GHSA-m94c-37g6-cjhc

Description

### Affected packages The vulnerability has been discovered in [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) plugin. All plugins with [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) plugin dependency are affected: * [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) * [Link](https://ckeditor.com/cke4/addon/link) * [Flash](https://ckeditor.com/cke4/addon/flash) * [Iframe](https://ckeditor.com/cke4/addon/iframe) * [Forms](https://ckeditor.com/cke4/addon/forms) * [Page Break](https://ckeditor.com/cke4/addon/pagebreak) ### Impact A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. ### Patches The problem has been recognized and patched. The fix will be available in version 4.16.2. ### For more information Email us at [email protected] if you have any questions or comments about this advisory. ### Acknowledgements The CKEditor 4 team would like to thank Mika Kulmala ([kulmik](https://github.com/kulmik)) for recognizing and reporting this vulnerability.

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1HIGH7.3CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References (11)