CVE-2021-41165
HIGH8.2EPSS 0.13%HTML comments vulnerability allowing to execute JavaScript code
描述
### Affected packages The vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. ### Impact A potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. ### Patches The problem has been recognized and patched. The fix will be available in version 4.17.0. ### For more information Email us at [email protected] if you have any questions or comments about this advisory. ### Acknowledgements The CKEditor 4 team would like to thank William Bowling ([wbowling](https://github.com/wbowling)) for recognizing and reporting this vulnerability.
受影響套件(5)
- Bitnami/drupal>= 8.9.0, < 8.9.20, >= 9.1.0, < 9.1.14, >= 9.2.0, < 9.2.9
- Debian/ckeditorfrom 0
- Debian/ckeditor3from 0
- npm/ckeditor4from 0, < 4.17.0
- Packagist/ckeditor/ckeditorfrom 0, < 4.17.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-41165
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-41165
- PATCHhttps://github.com/ckeditor/ckeditor4
- WEBhttps://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417
- WEBhttps://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2
- WEBhttps://www.drupal.org/sa-core-2021-011
- WEBhttps://www.oracle.com/security-alerts/cpuapr2022.html
- WEBhttps://www.oracle.com/security-alerts/cpujan2022.html
- WEBhttps://www.oracle.com/security-alerts/cpujul2022.html