CVE-2021-41164

HIGH8.2EPSS 0.08%

Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML

發布日:2021/11/17修改日:2026/3/13

也稱為:GHSA-pvmx-g8h5-cprjBIT-drupal-2021-41164

描述

### Affected packages The vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. ### Impact A potential vulnerability has been discovered in CKEditor 4 Advanced Content Filter (ACF) core module. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. ### Patches The problem has been recognized and patched. The fix will be available in version 4.17.0. ### For more information Email us at [email protected] if you have any questions or comments about this advisory. ### Acknowledgements The CKEditor 4 team would like to thank Maurice Dauer ([laytonctf](https://twitter.com/laytonctf)) for recognizing and reporting this vulnerability.

受影響套件(3)

Bitnami/drupal>= 8.9.0, < 8.9.20, >= 9.1.0, < 9.1.14, >= 9.2.0, < 9.2.9
Debian/ckeditorfrom 0
npm/ckeditor4from 0, < 4.17.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

描述

受影響套件(3)

CVSS 分數

參考連結(13)