All the vulnerabilites related to ckeditor - ckeditor
cve-2020-27193
Vulnerability from cvelistv5
Published
2020-11-12 20:31
Modified
2024-08-04 16:11
Severity ?
EPSS score ?
Summary
A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.
References
▼ | URL | Tags |
---|---|---|
https://ckeditor.com/ckeditor-4/download/ | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpuApr2021.html | x_refsource_MISC | |
https://ckeditor.com/cke4/release/CKEditor-4.15.1 | x_refsource_CONFIRM | |
https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/ | x_refsource_CONFIRM | |
https://www.oracle.com//security-alerts/cpujul2021.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T16:11:35.976Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ckeditor.com/ckeditor-4/download/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.15.1" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-10-20T10:39:35", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://ckeditor.com/ckeditor-4/download/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.15.1" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-27193", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://ckeditor.com/ckeditor-4/download/", "refsource": "MISC", "url": "https://ckeditor.com/ckeditor-4/download/" }, { "name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "name": "https://ckeditor.com/cke4/release/CKEditor-4.15.1", "refsource": "CONFIRM", "url": "https://ckeditor.com/cke4/release/CKEditor-4.15.1" }, { "name": "https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/", "refsource": "CONFIRM", "url": "https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/" }, { "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-27193", "datePublished": "2020-11-12T20:31:41", "dateReserved": "2020-10-16T00:00:00", "dateUpdated": "2024-08-04T16:11:35.976Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2012-2066
Vulnerability from cvelistv5
Published
2012-09-05 00:00
Modified
2024-08-06 19:17
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
▼ | URL | Tags |
---|---|---|
http://drupal.org/node/1482442 | x_refsource_CONFIRM | |
http://drupal.org/node/1482480 | x_refsource_CONFIRM | |
http://www.osvdb.org/80079 | vdb-entry, x_refsource_OSVDB | |
http://www.openwall.com/lists/oss-security/2012/04/07/1 | mailing-list, x_refsource_MLIST | |
http://drupal.org/node/1482466 | x_refsource_CONFIRM | |
https://exchange.xforce.ibmcloud.com/vulnerabilities/74036 | vdb-entry, x_refsource_XF | |
http://secunia.com/advisories/48435 | third-party-advisory, x_refsource_SECUNIA | |
http://drupal.org/node/1482528 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T19:17:27.870Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://drupal.org/node/1482442" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://drupal.org/node/1482480" }, { "name": "80079", "tags": [ "vdb-entry", "x_refsource_OSVDB", "x_transferred" ], "url": "http://www.osvdb.org/80079" }, { "name": "[oss-security] 20120406 CVE\u0027s for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://drupal.org/node/1482466" }, { "name": "ckeditor-drupal-unspec-xss(74036)", "tags": [ "vdb-entry", "x_refsource_XF", "x_transferred" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74036" }, { "name": "48435", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/48435" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://drupal.org/node/1482528" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2012-03-15T00:00:00", "descriptions": [ { "lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web script or HTML via unspecified vectors." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://drupal.org/node/1482442" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://drupal.org/node/1482480" }, { "name": "80079", "tags": [ "vdb-entry", "x_refsource_OSVDB" ], "url": "http://www.osvdb.org/80079" }, { "name": "[oss-security] 20120406 CVE\u0027s for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://drupal.org/node/1482466" }, { "name": "ckeditor-drupal-unspec-xss(74036)", "tags": [ "vdb-entry", "x_refsource_XF" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74036" }, { "name": "48435", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/48435" }, { "tags": [ "x_refsource_MISC" ], "url": "http://drupal.org/node/1482528" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2012-2066", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web script or HTML via unspecified vectors." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://drupal.org/node/1482442", "refsource": "CONFIRM", "url": "http://drupal.org/node/1482442" }, { "name": "http://drupal.org/node/1482480", "refsource": "CONFIRM", "url": "http://drupal.org/node/1482480" }, { "name": "80079", "refsource": "OSVDB", "url": "http://www.osvdb.org/80079" }, { "name": "[oss-security] 20120406 CVE\u0027s for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1" }, { "name": "http://drupal.org/node/1482466", "refsource": "CONFIRM", "url": "http://drupal.org/node/1482466" }, { "name": "ckeditor-drupal-unspec-xss(74036)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74036" }, { "name": "48435", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/48435" }, { "name": "http://drupal.org/node/1482528", "refsource": "MISC", "url": "http://drupal.org/node/1482528" } ] } } } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-2066", "datePublished": "2012-09-05T00:00:00", "dateReserved": "2012-04-04T00:00:00", "dateUpdated": "2024-08-06T19:17:27.870Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-26272
Vulnerability from cvelistv5
Published
2021-01-26 20:39
Modified
2024-08-03 20:19
Severity ?
EPSS score ?
Summary
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
References
▼ | URL | Tags |
---|---|---|
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416 | x_refsource_MISC | |
https://www.oracle.com//security-alerts/cpujul2021.html | x_refsource_MISC | |
https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T20:19:20.393Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin)." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-02-07T14:41:52", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-26272", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin)." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416", "refsource": "MISC", "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416" }, { "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "name": "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first", "refsource": "MISC", "url": "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-26272", "datePublished": "2021-01-26T20:39:56", "dateReserved": "2021-01-26T00:00:00", "dateUpdated": "2024-08-03T20:19:20.393Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-24815
Vulnerability from cvelistv5
Published
2024-02-07 15:14
Modified
2024-08-01 23:28
Severity ?
EPSS score ?
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-24815", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-08T16:41:58.530703Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:21:42.034Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T23:28:12.743Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm" }, { "name": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb" }, { "name": "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata" }, { "name": "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html" }, { "name": "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html" }, { "tags": [ "x_transferred" ], "url": "https://www.drupal.org/sa-contrib-2024-009" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "ckeditor4", "vendor": "ckeditor", "versions": [ { "status": "affected", "version": "\u003c 4.24.0-lts" } ] } ], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-02-07T17:29:51.330Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm" }, { "name": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb" }, { "name": "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata", "tags": [ "x_refsource_MISC" ], "url": "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata" }, { "name": "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html", "tags": [ "x_refsource_MISC" ], "url": "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html" }, { "name": "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html", "tags": [ "x_refsource_MISC" ], "url": "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html" }, { "url": "https://www.drupal.org/sa-contrib-2024-009" } ], "source": { "advisory": "GHSA-fq6h-4g8v-qqvm", "discovery": "UNKNOWN" }, "title": "CKEditor4 Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-24815", "datePublished": "2024-02-07T15:14:32.361Z", "dateReserved": "2024-01-31T16:28:17.942Z", "dateUpdated": "2024-08-01T23:28:12.743Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-43407
Vulnerability from cvelistv5
Published
2024-08-21 15:03
Modified
2024-08-21 19:54
Severity ?
EPSS score ?
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts.
References
▼ | URL | Tags |
---|---|---|
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv | x_refsource_CONFIRM | |
https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94 | x_refsource_MISC | |
https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa | x_refsource_MISC |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-43407", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-21T19:12:17.228243Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-21T19:54:12.846Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "ckeditor4", "vendor": "ckeditor", "versions": [ { "status": "affected", "version": "\u003c 4.25.0-lts" } ] } ], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-08-21T15:03:41.629Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv" }, { "name": "https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94" }, { "name": "https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa" } ], "source": { "advisory": "GHSA-7r32-vfj5-c2jv", "discovery": "UNKNOWN" }, "title": "Code Snippet GeSHi plugin has reflected cross-site scripting (XSS) vulnerability" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-43407", "datePublished": "2024-08-21T15:03:41.629Z", "dateReserved": "2024-08-12T18:02:04.966Z", "dateUpdated": "2024-08-21T19:54:12.846Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2012-2067
Vulnerability from cvelistv5
Published
2012-09-05 00:00
Modified
2024-08-06 19:17
Severity ?
EPSS score ?
Summary
Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter. NOTE: some of these details are obtained from third party information.
References
▼ | URL | Tags |
---|---|---|
http://drupal.org/node/1482442 | x_refsource_CONFIRM | |
http://www.osvdb.org/80080 | vdb-entry, x_refsource_OSVDB | |
https://exchange.xforce.ibmcloud.com/vulnerabilities/74037 | vdb-entry, x_refsource_XF | |
http://drupal.org/node/1482480 | x_refsource_CONFIRM | |
http://www.openwall.com/lists/oss-security/2012/04/07/1 | mailing-list, x_refsource_MLIST | |
http://drupal.org/node/1482466 | x_refsource_CONFIRM | |
http://secunia.com/advisories/48435 | third-party-advisory, x_refsource_SECUNIA | |
http://drupal.org/node/1482528 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T19:17:27.699Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://drupal.org/node/1482442" }, { "name": "80080", "tags": [ "vdb-entry", "x_refsource_OSVDB", "x_transferred" ], "url": "http://www.osvdb.org/80080" }, { "name": "ckeditor-drupal-code-execution(74037)", "tags": [ "vdb-entry", "x_refsource_XF", "x_transferred" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74037" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://drupal.org/node/1482480" }, { "name": "[oss-security] 20120406 CVE\u0027s for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://drupal.org/node/1482466" }, { "name": "48435", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/48435" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://drupal.org/node/1482528" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2012-03-15T00:00:00", "descriptions": [ { "lang": "en", "value": "Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter. NOTE: some of these details are obtained from third party information." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://drupal.org/node/1482442" }, { "name": "80080", "tags": [ "vdb-entry", "x_refsource_OSVDB" ], "url": "http://www.osvdb.org/80080" }, { "name": "ckeditor-drupal-code-execution(74037)", "tags": [ "vdb-entry", "x_refsource_XF" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74037" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://drupal.org/node/1482480" }, { "name": "[oss-security] 20120406 CVE\u0027s for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://drupal.org/node/1482466" }, { "name": "48435", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/48435" }, { "tags": [ "x_refsource_MISC" ], "url": "http://drupal.org/node/1482528" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2012-2067", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter. NOTE: some of these details are obtained from third party information." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://drupal.org/node/1482442", "refsource": "CONFIRM", "url": "http://drupal.org/node/1482442" }, { "name": "80080", "refsource": "OSVDB", "url": "http://www.osvdb.org/80080" }, { "name": "ckeditor-drupal-code-execution(74037)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74037" }, { "name": "http://drupal.org/node/1482480", "refsource": "CONFIRM", "url": "http://drupal.org/node/1482480" }, { "name": "[oss-security] 20120406 CVE\u0027s for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1" }, { "name": "http://drupal.org/node/1482466", "refsource": "CONFIRM", "url": "http://drupal.org/node/1482466" }, { "name": "48435", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/48435" }, { "name": "http://drupal.org/node/1482528", "refsource": "MISC", "url": "http://drupal.org/node/1482528" } ] } } } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-2067", "datePublished": "2012-09-05T00:00:00", "dateReserved": "2012-04-04T00:00:00", "dateUpdated": "2024-08-06T19:17:27.699Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-41165
Vulnerability from cvelistv5
Published
2021-11-17 19:15
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
References
▼ | URL | Tags |
---|---|---|
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417 | x_refsource_MISC | |
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2 | x_refsource_CONFIRM | |
https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC | |
https://www.drupal.org/sa-core-2021-011 | x_refsource_CONFIRM | |
https://www.oracle.com/security-alerts/cpuapr2022.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T02:59:31.758Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.drupal.org/sa-core-2021-011" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "ckeditor4", "vendor": "ckeditor", "versions": [ { "status": "affected", "version": "\u003c 4.17.0" } ] } ], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version \u003c 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-25T16:37:57", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.drupal.org/sa-core-2021-011" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "source": { "advisory": "GHSA-7h26-63m7-qhf2", "discovery": "UNKNOWN" }, "title": "HTML comments vulnerability allowing to execute JavaScript code", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41165", "STATE": "PUBLIC", "TITLE": "HTML comments vulnerability allowing to execute JavaScript code" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "ckeditor4", "version": { "version_data": [ { "version_value": "\u003c 4.17.0" } ] } } ] }, "vendor_name": "ckeditor" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version \u003c 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417", "refsource": "MISC", "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417" }, { "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2", "refsource": "CONFIRM", "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.drupal.org/sa-core-2021-011", "refsource": "CONFIRM", "url": "https://www.drupal.org/sa-core-2021-011" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ] }, "source": { "advisory": "GHSA-7h26-63m7-qhf2", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41165", "datePublished": "2021-11-17T19:15:11", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.758Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-31541
Vulnerability from cvelistv5
Published
2023-06-13 00:00
Modified
2025-01-03 19:28
Severity ?
EPSS score ?
Summary
A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T14:53:31.029Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "http://redmine.com" }, { "tags": [ "x_transferred" ], "url": "http://redmineckeditor.com" }, { "tags": [ "x_transferred" ], "url": "https://github.com/DreamD2v/CVE-2023-31541/blob/main/CVE-2023-31541.md" } ], "title": "CVE Program Container" }, { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-31541", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-01-03T19:28:03.588412Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-01-03T19:28:07.534Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "A unrestricted file upload vulnerability was discovered in the \u2018Browse and upload images\u2019 feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-06-13T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "http://redmine.com" }, { "url": "http://redmineckeditor.com" }, { "url": "https://github.com/DreamD2v/CVE-2023-31541/blob/main/CVE-2023-31541.md" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2023-31541", "datePublished": "2023-06-13T00:00:00", "dateReserved": "2023-04-29T00:00:00", "dateUpdated": "2025-01-03T19:28:07.534Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-9281
Vulnerability from cvelistv5
Published
2020-03-07 00:02
Modified
2024-08-04 10:26
Severity ?
EPSS score ?
Summary
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
References
▼ | URL | Tags |
---|---|---|
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/ | vendor-advisory, x_refsource_FEDORA | |
https://www.oracle.com/security-alerts/cpuoct2020.html | x_refsource_MISC | |
https://github.com/ckeditor/ckeditor4 | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpujan2021.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpuApr2021.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T10:26:15.821Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "FEDORA-2020-8d5de93970", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/" }, { "name": "FEDORA-2020-261449d821", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/" }, { "name": "FEDORA-2020-a832c215bf", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted \"protected\" comment (with the cke_protected syntax)." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-02-07T14:41:10", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "FEDORA-2020-8d5de93970", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/" }, { "name": "FEDORA-2020-261449d821", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/" }, { "name": "FEDORA-2020-a832c215bf", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ckeditor/ckeditor4" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-9281", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted \"protected\" comment (with the cke_protected syntax)." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "FEDORA-2020-8d5de93970", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/" }, { "name": "FEDORA-2020-261449d821", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/" }, { "name": "FEDORA-2020-a832c215bf", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "name": "https://github.com/ckeditor/ckeditor4", "refsource": "MISC", "url": "https://github.com/ckeditor/ckeditor4" }, { "name": "https://www.oracle.com/security-alerts/cpujan2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-9281", "datePublished": "2020-03-07T00:02:27", "dateReserved": "2020-02-19T00:00:00", "dateUpdated": "2024-08-04T10:26:15.821Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2011-4972
Vulnerability from cvelistv5
Published
2019-11-13 20:51
Modified
2024-08-07 00:23
Severity ?
EPSS score ?
Summary
hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request.
References
▼ | URL | Tags |
---|---|---|
https://drupal.org/node/1337006 | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2013/06/04/5 | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2013/06/04/7 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | CKSource | CKEditor Drupal module |
Version: 7.x-1.4 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-07T00:23:39.372Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://drupal.org/node/1337006" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2013/06/04/5" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2013/06/04/7" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "CKEditor Drupal module", "vendor": "CKSource", "versions": [ { "status": "affected", "version": "7.x-1.4" } ] } ], "datePublic": "2013-06-04T00:00:00", "descriptions": [ { "lang": "en", "value": "hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request." } ], "problemTypes": [ { "descriptions": [ { "description": "Insecure Permissions", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-11-13T20:51:23", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://drupal.org/node/1337006" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.openwall.com/lists/oss-security/2013/06/04/5" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.openwall.com/lists/oss-security/2013/06/04/7" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2011-4972", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "CKEditor Drupal module", "version": { "version_data": [ { "version_value": "7.x-1.4" } ] } } ] }, "vendor_name": "CKSource" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Insecure Permissions" } ] } ] }, "references": { "reference_data": [ { "name": "https://drupal.org/node/1337006", "refsource": "MISC", "url": "https://drupal.org/node/1337006" }, { "name": "http://www.openwall.com/lists/oss-security/2013/06/04/5", "refsource": "MISC", "url": "http://www.openwall.com/lists/oss-security/2013/06/04/5" }, { "name": "http://www.openwall.com/lists/oss-security/2013/06/04/7", "refsource": "MISC", "url": "http://www.openwall.com/lists/oss-security/2013/06/04/7" } ] } } } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2011-4972", "datePublished": "2019-11-13T20:51:23", "dateReserved": "2011-12-23T00:00:00", "dateUpdated": "2024-08-07T00:23:39.372Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-32808
Vulnerability from cvelistv5
Published
2021-08-12 16:25
Modified
2024-08-03 23:33
Severity ?
EPSS score ?
Summary
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.
References
▼ | URL | Tags |
---|---|---|
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c | x_refsource_CONFIRM | |
https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2 | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/ | vendor-advisory, x_refsource_FEDORA | |
https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T23:33:55.865Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2" }, { "name": "FEDORA-2021-51457da891", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "name": "FEDORA-2021-72176a63a8", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "name": "FEDORA-2021-87578dca12", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "ckeditor4", "vendor": "ckeditor", "versions": [ { "status": "affected", "version": "\u003e= 4.13.0, \u003c 4.16.2" } ] } ], "descriptions": [ { "lang": "en", "value": "ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version \u003e= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-02-07T14:42:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2" }, { "name": "FEDORA-2021-51457da891", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "name": "FEDORA-2021-72176a63a8", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "name": "FEDORA-2021-87578dca12", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ], "source": { "advisory": "GHSA-6226-h7ff-ch6c", "discovery": "UNKNOWN" }, "title": "Cross-site scripting in ckeditor via abuse of undo functionality", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32808", "STATE": "PUBLIC", "TITLE": "Cross-site scripting in ckeditor via abuse of undo functionality" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "ckeditor4", "version": { "version_data": [ { "version_value": "\u003e= 4.13.0, \u003c 4.16.2" } ] } } ] }, "vendor_name": "ckeditor" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version \u003e= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c", "refsource": "CONFIRM", "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c" }, { "name": "https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2", "refsource": "MISC", "url": "https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2" }, { "name": "FEDORA-2021-51457da891", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "name": "FEDORA-2021-72176a63a8", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "name": "FEDORA-2021-87578dca12", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ] }, "source": { "advisory": "GHSA-6226-h7ff-ch6c", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32808", "datePublished": "2021-08-12T16:25:10", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:33:55.865Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-24816
Vulnerability from cvelistv5
Published
2024-02-07 16:58
Modified
2024-08-01 23:28
Severity ?
EPSS score ?
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.
References
▼ | URL | Tags |
---|---|---|
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76 | x_refsource_CONFIRM | |
https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb | x_refsource_MISC | |
https://ckeditor.com/cke4/addon/preview | x_refsource_MISC |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-24816", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-21T20:41:03.498820Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:43:36.184Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T23:28:12.611Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76" }, { "name": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb" }, { "name": "https://ckeditor.com/cke4/addon/preview", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ckeditor.com/cke4/addon/preview" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "ckeditor4", "vendor": "ckeditor", "versions": [ { "status": "affected", "version": "\u003c 4.24.0-lts" } ] } ], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version \u003c 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-02-07T16:58:24.564Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76" }, { "name": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb" }, { "name": "https://ckeditor.com/cke4/addon/preview", "tags": [ "x_refsource_MISC" ], "url": "https://ckeditor.com/cke4/addon/preview" } ], "source": { "advisory": "GHSA-mw2c-vx6j-mg76", "discovery": "UNKNOWN" }, "title": "Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-24816", "datePublished": "2024-02-07T16:58:24.564Z", "dateReserved": "2024-01-31T16:28:17.942Z", "dateUpdated": "2024-08-01T23:28:12.611Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-41164
Vulnerability from cvelistv5
Published
2021-11-17 00:00
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T02:59:31.641Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj" }, { "tags": [ "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_transferred" ], "url": "https://www.drupal.org/sa-core-2021-011" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "FEDORA-2022-b61dfd219b", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/" }, { "name": "FEDORA-2022-4c634ee466", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "ckeditor4", "vendor": "ckeditor", "versions": [ { "status": "affected", "version": "\u003c 4.17.0" } ] } ], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version \u003c 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-14T00:00:00", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj" }, { "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417" }, { "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "url": "https://www.drupal.org/sa-core-2021-011" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "FEDORA-2022-b61dfd219b", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/" }, { "name": "FEDORA-2022-4c634ee466", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/" } ], "source": { "advisory": "GHSA-pvmx-g8h5-cprj", "discovery": "UNKNOWN" }, "title": "Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41164", "datePublished": "2021-11-17T00:00:00", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.641Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2014-5191
Vulnerability from cvelistv5
Published
2014-08-07 10:00
Modified
2024-08-06 11:34
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
▼ | URL | Tags |
---|---|---|
http://ckeditor.com/node/136981 | x_refsource_CONFIRM | |
http://secunia.com/advisories/60036 | third-party-advisory, x_refsource_SECUNIA | |
http://www.securityfocus.com/bid/69161 | vdb-entry, x_refsource_BID |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T11:34:37.519Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://ckeditor.com/node/136981" }, { "name": "60036", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/60036" }, { "name": "69161", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/69161" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2014-07-15T00:00:00", "descriptions": [ { "lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2015-04-29T18:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://ckeditor.com/node/136981" }, { "name": "60036", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/60036" }, { "name": "69161", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/69161" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-5191", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://ckeditor.com/node/136981", "refsource": "CONFIRM", "url": "http://ckeditor.com/node/136981" }, { "name": "60036", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60036" }, { "name": "69161", "refsource": "BID", "url": "http://www.securityfocus.com/bid/69161" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-5191", "datePublished": "2014-08-07T10:00:00", "dateReserved": "2014-08-07T00:00:00", "dateUpdated": "2024-08-06T11:34:37.519Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-32809
Vulnerability from cvelistv5
Published
2021-08-12 17:10
Modified
2024-08-03 23:33
Severity ?
EPSS score ?
Summary
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
References
▼ | URL | Tags |
---|---|---|
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg | x_refsource_CONFIRM | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/ | vendor-advisory, x_refsource_FEDORA | |
https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T23:33:56.090Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg" }, { "name": "FEDORA-2021-51457da891", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "name": "FEDORA-2021-72176a63a8", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "name": "FEDORA-2021-87578dca12", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "ckeditor4", "vendor": "ckeditor", "versions": [ { "status": "affected", "version": "\u003e= 4.5.2, \u003c 4.16.2" } ] } ], "descriptions": [ { "lang": "en", "value": "ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version \u003e= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-02-07T14:42:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg" }, { "name": "FEDORA-2021-51457da891", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "name": "FEDORA-2021-72176a63a8", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "name": "FEDORA-2021-87578dca12", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ], "source": { "advisory": "GHSA-7889-rm5j-hpgg", "discovery": "UNKNOWN" }, "title": "Arbitrary HTML injection vulnerability in ckeditor", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32809", "STATE": "PUBLIC", "TITLE": "Arbitrary HTML injection vulnerability in ckeditor" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "ckeditor4", "version": { "version_data": [ { "version_value": "\u003e= 4.5.2, \u003c 4.16.2" } ] } } ] }, "vendor_name": "ckeditor" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version \u003e= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg", "refsource": "CONFIRM", "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg" }, { "name": "FEDORA-2021-51457da891", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "name": "FEDORA-2021-72176a63a8", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "name": "FEDORA-2021-87578dca12", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ] }, "source": { "advisory": "GHSA-7889-rm5j-hpgg", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32809", "datePublished": "2021-08-12T17:10:09", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:33:56.090Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-24728
Vulnerability from cvelistv5
Published
2022-03-16 00:00
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:20:49.856Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89" }, { "tags": [ "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949" }, { "tags": [ "x_transferred" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.18.0" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "tags": [ "x_transferred" ], "url": "https://www.drupal.org/sa-core-2022-005" }, { "name": "FEDORA-2022-b61dfd219b", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/" }, { "name": "FEDORA-2022-4c634ee466", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "ckeditor4", "vendor": "ckeditor", "versions": [ { "status": "affected", "version": "\u003c 4.18.0" } ] } ], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-14T00:00:00", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89" }, { "url": "https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949" }, { "url": "https://ckeditor.com/cke4/release/CKEditor-4.18.0" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "url": "https://www.drupal.org/sa-core-2022-005" }, { "name": "FEDORA-2022-b61dfd219b", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/" }, { "name": "FEDORA-2022-4c634ee466", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/" } ], "source": { "advisory": "GHSA-4fc4-4p5g-6w89", "discovery": "UNKNOWN" }, "title": "Cross-site Scripting in CKEditor4" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24728", "datePublished": "2022-03-16T00:00:00", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:49.856Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-26271
Vulnerability from cvelistv5
Published
2021-01-26 20:39
Modified
2024-08-03 20:19
Severity ?
EPSS score ?
Summary
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
References
▼ | URL | Tags |
---|---|---|
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416 | x_refsource_MISC | |
https://www.oracle.com//security-alerts/cpujul2021.html | x_refsource_MISC | |
https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first | x_refsource_CONFIRM | |
https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T20:19:20.393Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin)." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-10-20T10:41:40", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-26271", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin)." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416", "refsource": "MISC", "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416" }, { "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "name": "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first", "refsource": "CONFIRM", "url": "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-26271", "datePublished": "2021-01-26T20:39:46", "dateReserved": "2021-01-26T00:00:00", "dateUpdated": "2024-08-03T20:19:20.393Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-17960
Vulnerability from cvelistv5
Published
2018-11-14 20:00
Modified
2024-08-05 11:01
Severity ?
EPSS score ?
Summary
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
References
▼ | URL | Tags |
---|---|---|
https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/ | x_refsource_MISC | |
https://ckeditor.com/cke4/release/CKEditor-4.11.0 | x_refsource_MISC | |
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html | x_refsource_MISC | |
http://www.securityfocus.com/bid/109205 | vdb-entry, x_refsource_BID |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T11:01:14.714Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.11.0" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "name": "109205", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/109205" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2018-11-14T00:00:00", "descriptions": [ { "lang": "en", "value": "CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-07-23T22:31:37", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.11.0" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "name": "109205", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/109205" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-17960", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/", "refsource": "MISC", "url": "https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/" }, { "name": "https://ckeditor.com/cke4/release/CKEditor-4.11.0", "refsource": "MISC", "url": "https://ckeditor.com/cke4/release/CKEditor-4.11.0" }, { "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "refsource": "MISC", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "name": "109205", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109205" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-17960", "datePublished": "2018-11-14T20:00:00", "dateReserved": "2018-10-03T00:00:00", "dateUpdated": "2024-08-05T11:01:14.714Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-24729
Vulnerability from cvelistv5
Published
2022-03-16 00:00
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:20:49.845Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.18.0" }, { "tags": [ "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "tags": [ "x_transferred" ], "url": "https://www.drupal.org/sa-core-2022-005" }, { "name": "FEDORA-2022-b61dfd219b", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/" }, { "name": "FEDORA-2022-4c634ee466", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "ckeditor4", "vendor": "ckeditor", "versions": [ { "status": "affected", "version": "\u003c 4.18.0" } ] } ], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-14T00:00:00", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://ckeditor.com/cke4/release/CKEditor-4.18.0" }, { "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "url": "https://www.drupal.org/sa-core-2022-005" }, { "name": "FEDORA-2022-b61dfd219b", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/" }, { "name": "FEDORA-2022-4c634ee466", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/" } ], "source": { "advisory": "GHSA-f6rf-9m92-x2hh", "discovery": "UNKNOWN" }, "title": "Regular expression Denial of Service in dialog plugin" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24729", "datePublished": "2022-03-16T00:00:00", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:49.845Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-37695
Vulnerability from cvelistv5
Published
2021-08-12 23:10
Modified
2024-08-04 01:23
Severity ?
EPSS score ?
Summary
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
References
▼ | URL | Tags |
---|---|---|
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc | x_refsource_CONFIRM | |
https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58 | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/ | vendor-advisory, x_refsource_FEDORA | |
https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC | |
https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html | mailing-list, x_refsource_MLIST | |
https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T01:23:01.506Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58" }, { "name": "FEDORA-2021-51457da891", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "name": "FEDORA-2021-72176a63a8", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "name": "FEDORA-2021-87578dca12", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "[debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "ckeditor4", "vendor": "ckeditor", "versions": [ { "status": "affected", "version": "\u003c 4.16.2" } ] } ], "descriptions": [ { "lang": "en", "value": "ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version \u003c 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-02-07T14:42:37", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58" }, { "name": "FEDORA-2021-51457da891", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "name": "FEDORA-2021-72176a63a8", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "name": "FEDORA-2021-87578dca12", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "[debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ], "source": { "advisory": "GHSA-m94c-37g6-cjhc", "discovery": "UNKNOWN" }, "title": "Execution of JavaScript code using malformed HTML in ckeditor", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-37695", "STATE": "PUBLIC", "TITLE": "Execution of JavaScript code using malformed HTML in ckeditor" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "ckeditor4", "version": { "version_data": [ { "version_value": "\u003c 4.16.2" } ] } } ] }, "vendor_name": "ckeditor" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version \u003c 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc", "refsource": "CONFIRM", "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc" }, { "name": "https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58", "refsource": "MISC", "url": "https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58" }, { "name": "FEDORA-2021-51457da891", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "name": "FEDORA-2021-72176a63a8", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "name": "FEDORA-2021-87578dca12", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "[debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ] }, "source": { "advisory": "GHSA-m94c-37g6-cjhc", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-37695", "datePublished": "2021-08-12T23:10:10", "dateReserved": "2021-07-29T00:00:00", "dateUpdated": "2024-08-04T01:23:01.506Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-33829
Vulnerability from cvelistv5
Published
2021-06-09 11:51
Modified
2024-08-03 23:58
Severity ?
EPSS score ?
Summary
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
References
▼ | URL | Tags |
---|---|---|
https://www.drupal.org/sa-core-2021-003 | x_refsource_CONFIRM | |
https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html | mailing-list, x_refsource_MLIST |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T23:58:23.102Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.drupal.org/sa-core-2021-003" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser" }, { "name": "FEDORA-2021-51457da891", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "name": "FEDORA-2021-72176a63a8", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "name": "FEDORA-2021-87578dca12", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "name": "[debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!\u003e is mishandled." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-11-09T10:06:15", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.drupal.org/sa-core-2021-003" }, { "tags": [ "x_refsource_MISC" ], "url": "https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser" }, { "name": "FEDORA-2021-51457da891", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "name": "FEDORA-2021-72176a63a8", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "name": "FEDORA-2021-87578dca12", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "name": "[debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-33829", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!\u003e is mishandled." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.drupal.org/sa-core-2021-003", "refsource": "CONFIRM", "url": "https://www.drupal.org/sa-core-2021-003" }, { "name": "https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser", "refsource": "MISC", "url": "https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser" }, { "name": "FEDORA-2021-51457da891", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "name": "FEDORA-2021-72176a63a8", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "name": "FEDORA-2021-87578dca12", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "name": "[debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-33829", "datePublished": "2021-06-09T11:51:00", "dateReserved": "2021-06-03T00:00:00", "dateUpdated": "2024-08-03T23:58:23.102Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-9440
Vulnerability from cvelistv5
Published
2020-03-10 16:57
Modified
2024-08-04 10:26
Severity ?
EPSS score ?
Summary
A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.
References
▼ | URL | Tags |
---|---|---|
https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/ | vendor-advisory, x_refsource_FEDORA |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T10:26:16.100Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed" }, { "name": "FEDORA-2020-8d5de93970", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/" }, { "name": "FEDORA-2020-261449d821", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/" }, { "name": "FEDORA-2020-a832c215bf", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-03-29T03:06:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed" }, { "name": "FEDORA-2020-8d5de93970", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/" }, { "name": "FEDORA-2020-261449d821", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/" }, { "name": "FEDORA-2020-a832c215bf", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-9440", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed", "refsource": "MISC", "url": "https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed" }, { "name": "FEDORA-2020-8d5de93970", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/" }, { "name": "FEDORA-2020-261449d821", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/" }, { "name": "FEDORA-2020-a832c215bf", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-9440", "datePublished": "2020-03-10T16:57:12", "dateReserved": "2020-02-28T00:00:00", "dateUpdated": "2024-08-04T10:26:16.100Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-48110
Vulnerability from cvelistv5
Published
2023-02-13 00:00
Modified
2024-08-03 15:02
Severity ?
EPSS score ?
Summary
CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false).
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T15:02:36.668Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html" }, { "tags": [ "x_transferred" ], "url": "https://packetstormsecurity.com/files/170927/CKSource-CKEditor5-35.4.0-Cross-Site-Scripting.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor\u0027s position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false)." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-02-14T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html" }, { "url": "https://packetstormsecurity.com/files/170927/CKSource-CKEditor5-35.4.0-Cross-Site-Scripting.html" } ], "tags": [ "disputed" ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-48110", "datePublished": "2023-02-13T00:00:00", "dateReserved": "2022-12-29T00:00:00", "dateUpdated": "2024-08-03T15:02:36.668Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-28439
Vulnerability from cvelistv5
Published
2023-03-22 20:55
Modified
2024-10-15 17:12
Severity ?
EPSS score ?
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism.
A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T12:38:25.306Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g" }, { "name": "https://ckeditor.com/cke4/addon/embed", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ckeditor.com/cke4/addon/embed" }, { "name": "https://ckeditor.com/cke4/addon/iframe", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ckeditor.com/cke4/addon/iframe" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWKG2VCPJNETVCDTXU4X6FQ2PO6XCNGN/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCYKD3JZWWA3ESOZG4PHJJEXT4EYIUIQ/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4ODGOW6PYVOXHQSMWJBOCE6DXWAI33W/" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-28439", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-15T17:09:11.109854Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-15T17:12:27.344Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "ckeditor4", "vendor": "ckeditor", "versions": [ { "status": "affected", "version": "\u003c 4.21.0" } ] } ], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `\u003ctextarea\u003e` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism.\n\nA fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-03-22T20:55:00.208Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g" }, { "name": "https://ckeditor.com/cke4/addon/embed", "tags": [ "x_refsource_MISC" ], "url": "https://ckeditor.com/cke4/addon/embed" }, { "name": "https://ckeditor.com/cke4/addon/iframe", "tags": [ "x_refsource_MISC" ], "url": "https://ckeditor.com/cke4/addon/iframe" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWKG2VCPJNETVCDTXU4X6FQ2PO6XCNGN/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCYKD3JZWWA3ESOZG4PHJJEXT4EYIUIQ/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4ODGOW6PYVOXHQSMWJBOCE6DXWAI33W/" } ], "source": { "advisory": "GHSA-vh5c-xwqv-cv9g", "discovery": "UNKNOWN" }, "title": "ckeditor4 plugins vulnerable to cross-site scripting caused by the editor instance destroying process" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-28439", "datePublished": "2023-03-22T20:55:00.208Z", "dateReserved": "2023-03-15T15:59:10.054Z", "dateUpdated": "2024-10-15T17:12:27.344Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Vulnerability from fkie_nvd
Published
2012-09-05 00:55
Modified
2024-11-21 01:38
Severity ?
Summary
Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter. NOTE: some of these details are obtained from third party information.
References
Impacted products
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.1:*:*:*:*:*:*:*", "matchCriteriaId": "44B163FD-1FE9-48C4-B0AA-DD50847FF1F0", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.1:beta:*:*:*:*:*:*", "matchCriteriaId": "F76C9A2D-841B-40B2-9B20-3D19B8E4D599", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.1:beta2:*:*:*:*:*:*", "matchCriteriaId": "5F296BCB-1010-47CD-8710-CB2B811A2CCF", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.2:*:*:*:*:*:*:*", "matchCriteriaId": "0B350AE9-4072-4E78-B891-693E83A10B68", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.2-1:*:*:*:*:*:*:*", "matchCriteriaId": "1CBBEAAF-31FB-4EFB-971A-FB6A0A7D237F", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:*:*:*:*:*:*:*", "matchCriteriaId": "09808721-056C-4BE8-8BFB-D31D6F95C751", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:beta:*:*:*:*:*:*", "matchCriteriaId": "9AEB8F31-C6F3-45D1-95C3-D9F4DE8A011F", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:beta2:*:*:*:*:*:*", "matchCriteriaId": "423F1192-70EB-4EA8-8FD2-4DD913513311", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "D21FCEAD-0D7B-4B9B-995F-9DC0B59D9EC5", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "C31D54C7-B2F6-44F5-A7EE-1256F69561A4", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc3:*:*:*:*:*:*", "matchCriteriaId": "169C2734-5A10-4486-8329-1B4C99377F34", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc5:*:*:*:*:*:*", "matchCriteriaId": "D2A96BDD-CE2A-468B-BA11-420013FD962A", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc6:*:*:*:*:*:*", "matchCriteriaId": "D36AA137-0B92-4C0C-A110-689CD1D8B13C", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc7:*:*:*:*:*:*", "matchCriteriaId": "7B9AF995-8E15-49E5-A999-D46F4021DF9A", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.4:*:*:*:*:*:*:*", "matchCriteriaId": "5E35468C-4F35-44CA-AB5A-B744DAAEA5A5", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "9BC0703D-CC61-4035-BD4F-4FA225E91247", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.4:rc2:*:*:*:*:*:*", "matchCriteriaId": "053CB577-FAA9-4C52-9F70-79EAB0EF2C7F", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.x:dev:*:*:*:*:*:*", "matchCriteriaId": "80718F1B-01E0-470C-A64B-FE6EF21E7B33", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:*:*:*:*:*:*:*", "matchCriteriaId": "3972DA1A-AB39-40C0-B07A-C78A14F4BE9F", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "6D692A34-334E-4EF6-A9A2-00E0DBCBF8F2", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "7D8493A8-16C7-4A86-B117-5D6960672A26", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "16A838C7-F87F-4700-978A-CBE29CC05778", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "4204743A-1AF1-453E-816B-89B789421157", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "ACC858F4-915F-4269-89F4-5850E89D95B0", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "CC2E4995-E98D-4EBA-8F68-8D1AC8013220", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "2A4AF219-9088-4AF2-8B59-D72B5B8E0EEF", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "46BDEF08-D257-47BF-8A43-9968C2B8EF5B", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "5A9FB606-1EF7-4503-839F-4C1C5128C690", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "D368C7DA-85EA-4B80-AFF8-20FFE4CCD410", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.1:*:*:*:*:*:*:*", "matchCriteriaId": "7E725F77-8490-42E5-B4C2-A905375819EE", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "19315A5D-A5B4-48A2-9823-E7D079578FF7", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.2:*:*:*:*:*:*:*", "matchCriteriaId": "C9E1CF58-3074-4917-953A-7B553D42A22B", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "D877BB1B-FDDF-4E32-A708-5C4EF293895B", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.3:*:*:*:*:*:*:*", "matchCriteriaId": "2D6AF3DE-116C-4C48-9122-A0AB461F3DA7", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.x:dev:*:*:*:*:*:*", "matchCriteriaId": "69A13208-719D-4627-BA30-2EE9D7D3D911", "vulnerable": true } ], "negate": false, "operator": "OR" }, { "cpeMatch": [ { "criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF", "vulnerable": false } ], "negate": false, "operator": "OR" } ], "operator": "AND" }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.0:*:*:*:*:*:*:*", "matchCriteriaId": "80ACD9BA-BFAA-4421-BF46-FACC1D8EB66C", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "7B8252BB-5C2D-40B1-971E-B170DF5D8583", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.1:*:*:*:*:*:*:*", "matchCriteriaId": "7DD74EB7-12C7-495B-86D8-A63FB853A99E", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.2:*:*:*:*:*:*:*", "matchCriteriaId": "39FE612F-4CAC-4D3B-85D2-49201BE699F0", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.3:*:*:*:*:*:*:*", "matchCriteriaId": "81515584-8CA5-445C-9396-90236B215104", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.4:*:*:*:*:*:*:*", "matchCriteriaId": "3240117F-7FB4-495C-9CAF-7A902499B3D3", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.5:*:*:*:*:*:*:*", "matchCriteriaId": "ED7C7988-B82E-4BB0-B966-E2D5BFB09E69", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.6:*:*:*:*:*:*:*", "matchCriteriaId": "4D62BBD9-C702-4BEA-B8A9-960B31630EA3", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.7:*:*:*:*:*:*:*", "matchCriteriaId": "61D011F9-21E1-4B47-94D9-68F9E1DF92B2", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.x:dev:*:*:*:*:*:*", "matchCriteriaId": "7F2EA237-1B55-49F3-B95C-6FAAA28901C8", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.0:*:*:*:*:*:*:*", "matchCriteriaId": "42B69434-2F6F-4D0F-ADB9-FD7BD8A2B296", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "C3398A12-5E6D-4E6B-80B1-D8C177FA8168", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.1:*:*:*:*:*:*:*", "matchCriteriaId": "6F74FCCC-4DAC-40DE-AA3C-8A77D8250EFA", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.2:*:*:*:*:*:*:*", "matchCriteriaId": "73BF8196-B275-4C69-BE33-3F8D8865D8A0", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.3:*:*:*:*:*:*:*", "matchCriteriaId": "0A64FD18-5402-4971-8483-95CF3535B019", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.4:*:*:*:*:*:*:*", "matchCriteriaId": "672ACFFD-70C6-457F-BF5B-9B85CCB08959", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.5:*:*:*:*:*:*:*", "matchCriteriaId": "8B4D96C8-18E7-45B5-A107-CBFBFF6D2C85", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.6:*:*:*:*:*:*:*", "matchCriteriaId": "5DB70B6B-3ECC-459D-98DA-0BB76AE9296D", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.x:dev:*:*:*:*:*:*", "matchCriteriaId": "07087627-FA8A-4E3B-8509-B1A2E4E864B5", "vulnerable": true } ], "negate": false, "operator": "OR" }, { "cpeMatch": [ { "criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF", "vulnerable": false } ], "negate": false, "operator": "OR" } ], "operator": "AND" } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter. NOTE: some of these details are obtained from third party information." }, { "lang": "es", "value": "Vulnerabilidad no especificada en el m\u00f3dulo CKEditor v6.x-2.x anterior a v6.x-2.3 y el m\u00f3dulo CKEditor v6.x-1.x anterior a v6.x-1.9 y v7.x-1.x anterior a v7.x-1.7 para Drupal, cuando el m\u00f3dulo de n\u00facleo de PHP est\u00e1 activado, permite a usuarios remotos autenticados o atacantes remotos ejecutar c\u00f3digo PHP arbitrario a trav\u00e9s del par\u00e1metro de texto a un filtro de texto. NOTA: algunos de estos detalles han sido obtenidos a partir de informaci\u00f3n de terceros" } ], "evaluatorComment": "Per http://drupal.org/node/1482528 the versions affected are \"FCKeditor 6.x-2.x versions prior to 6.x-2.3, CKEditor 6.x-1.x versions prior to 6.x-1.9, and CKEditor 7.x-1.x versions prior to 7.x-1.7.\"\r\n", "id": "CVE-2012-2067", "lastModified": "2024-11-21T01:38:25.490", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ] }, "published": "2012-09-05T00:55:15.217", "references": [ { "source": "secalert@redhat.com", "tags": [ "Patch" ], "url": "http://drupal.org/node/1482442" }, { "source": "secalert@redhat.com", "tags": [ "Patch" ], "url": "http://drupal.org/node/1482466" }, { "source": "secalert@redhat.com", "tags": [ "Patch" ], "url": "http://drupal.org/node/1482480" }, { "source": "secalert@redhat.com", "tags": [ "Patch", "Vendor Advisory" ], "url": "http://drupal.org/node/1482528" }, { "source": "secalert@redhat.com", "tags": [ "Vendor Advisory" ], "url": "http://secunia.com/advisories/48435" }, { "source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1" }, { "source": "secalert@redhat.com", "url": "http://www.osvdb.org/80080" }, { "source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74037" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "http://drupal.org/node/1482442" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "http://drupal.org/node/1482466" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "http://drupal.org/node/1482480" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Vendor Advisory" ], "url": "http://drupal.org/node/1482528" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ], "url": "http://secunia.com/advisories/48435" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.osvdb.org/80080" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74037" } ], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "NVD-CWE-noinfo" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2022-03-16 16:15
Modified
2024-11-21 06:50
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
References
Impacted products
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC4BF70E-8D8F-4E6E-87BC-0103C0ED541F", "versionEndExcluding": "4.18.0", "versionStartIncluding": "4.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "40450340-0D4F-4A9F-AADB-1708F844690A", "versionEndExcluding": "9.2.15", "versionStartIncluding": "8.0.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9992D37-51EB-4011-9335-D1653AE2D59B", "versionEndExcluding": "9.3.8", "versionStartIncluding": "9.3.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "48B23728-0050-4AF0-B8B0-A959CBAB4505", "versionEndExcluding": "22.1.1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "C91E0944-A93B-4E6C-9547-4FC1A01DEAC6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "6135501A-3F3C-42BA-B2C4-79403F3510D8", "versionEndIncluding": "8.1.0.0.0", "versionStartIncluding": "8.0.7.0.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "3CC69CF0-6269-40F5-871B-16CFD5EC4C45", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "172BECE8-9626-4910-AAA1-A2FA9C7139E3", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "ACB82398-7281-47CF-81F9-A8A67D9C9DFE", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD9AC3A6-9B91-4B55-A320-A40E95F21058", "versionEndIncluding": "8.1.2.1", "versionStartIncluding": "8.1.1.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "B0EF38D2-EF89-4DBC-B305-1A5D5FC0B186", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "155FF008-1054-4943-B1C3-9117E3E51AC3", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B57ECC6E-CC64-4DE7-B657-3BA54EDDFFF4", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8:*:*:*:enterprise:*:*:*", "matchCriteriaId": "10BBAD37-51A1-4819-807B-2642E9D4A69C", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds." }, { "lang": "es", "value": "CKEditor4 es un editor HTML de c\u00f3digo abierto \"lo que visualizas es lo que obtienes\". Se ha detectado una vulnerabilidad en el m\u00f3dulo central de procesamiento de HTML y puede afectar a todos los plugins usados por CKEditor 4 versiones anteriores a 4.18.0. La vulnerabilidad permite que alguien inyecte HTML malformado omitiendo el saneo del contenido, lo que podr\u00eda resultar en una ejecuci\u00f3n de c\u00f3digo JavaScript. Este problema ha sido parcheado en versi\u00f3n 4.18.0. Actualmente no se presentan medidas de mitigaci\u00f3n conocidas" } ], "id": "CVE-2022-24728", "lastModified": "2024-11-21T06:50:57.820", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "LOW", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2022-03-16T16:15:10.907", "references": [ { "source": "security-advisories@github.com", "tags": [ "Release Notes", "Vendor Advisory" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.18.0" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.drupal.org/sa-core-2022-005" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes", "Vendor Advisory" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.18.0" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.drupal.org/sa-core-2022-005" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2021-01-26 21:15
Modified
2024-11-21 05:56
Severity ?
Summary
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
ckeditor | ckeditor | * | |
oracle | agile_plm | 9.3.5 | |
oracle | agile_plm | 9.3.6 | |
oracle | application_express | * | |
oracle | financial_services_analytical_applications_infrastructure | * | |
oracle | financial_services_analytical_applications_infrastructure | 8.1.0 | |
oracle | financial_services_analytical_applications_infrastructure | 8.1.1 | |
oracle | jd_edwards_enterpriseone_tools | * | |
oracle | siebel_ui_framework | * | |
oracle | webcenter_sites | 12.2.1.3.0 | |
oracle | webcenter_sites | 12.2.1.4.0 |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C5F969A-06A2-4D84-B7DF-1CE68E285C0F", "versionEndExcluding": "4.16", "versionStartIncluding": "4.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "ED43772F-D280-42F6-A292-7198284D6FE7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B4D758F-EABD-498C-9C9E-C3F35927F7DC", "versionEndExcluding": "21.1.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "40F940AA-05BE-426C-89A3-4098E107D9A7", "versionEndIncluding": "8.0.9", "versionStartIncluding": "8.0.6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6FB8AE1F-FA6B-4A5E-AA5B-D0B7C78FE886", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "41C2C67B-BF55-4B48-A94D-1F37A4FAC68C", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "86305E47-33E9-411C-B932-08C395C09982", "versionEndExcluding": "9.2.6.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2B15024-E757-443B-8424-BBF0A28C3753", "versionEndExcluding": "21.9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D551CAB1-4312-44AA-BDA8-A030817E153A", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "174A6D2E-E42E-4C92-A194-C6A820CD7EF4", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin)." }, { "lang": "es", "value": "Era posible ejecutar un ataque de tipo ReDoS dentro de CKEditor 4 versiones anteriores a 4.16, al persuadir a una v\u00edctima para pegar un texto dise\u00f1ado en la entrada Styles de cuadros de di\u00e1logo espec\u00edficos (en la pesta\u00f1a Advanced para el plugin Dialogs)" } ], "id": "CVE-2021-26271", "lastModified": "2024-11-21T05:56:00.720", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-01-26T21:15:12.860", "references": [ { "source": "cve@mitre.org", "tags": [ "Vendor Advisory" ], "url": "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first" }, { "source": "cve@mitre.org", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416" }, { "source": "cve@mitre.org", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "source": "cve@mitre.org", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ], "url": "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-829" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2021-11-17 20:15
Modified
2024-11-21 06:25
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
ckeditor | ckeditor | * | |
drupal | drupal | * | |
drupal | drupal | * | |
drupal | drupal | * | |
oracle | agile_product_lifecycle_management | 9.3.6 | |
oracle | application_express | * | |
oracle | banking_apis | * | |
oracle | banking_apis | 19.1 | |
oracle | banking_apis | 19.2 | |
oracle | banking_apis | 20.1 | |
oracle | banking_apis | 21.1 | |
oracle | banking_digital_experience | * | |
oracle | banking_digital_experience | 19.1 | |
oracle | banking_digital_experience | 19.2 | |
oracle | banking_digital_experience | 20.1 | |
oracle | banking_digital_experience | 21.1 | |
oracle | commerce_guided_search | 11.3.2 | |
oracle | peoplesoft_enterprise_peopletools | 8.58 | |
oracle | peoplesoft_enterprise_peopletools | 8.59 | |
oracle | webcenter_portal | 12.2.1.3.0 | |
oracle | webcenter_portal | 12.2.1.4.0 |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "731006DE-2F79-4025-B00A-91691BC711C7", "versionEndExcluding": "4.17.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "32968913-E57B-4EF5-AA96-AECED07BE717", "versionEndExcluding": "8.9.20", "versionStartIncluding": "8.9.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D676052-0F9B-4E07-A256-AF075939F05E", "versionEndExcluding": "9.1.14", "versionStartIncluding": "9.1.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1734889-5F48-4F5F-A579-5FFAB4A4B67F", "versionEndExcluding": "9.2.9", "versionStartIncluding": "9.2.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "4305ED0E-30CC-4AEA-8988-3D1EC93A0BB2", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD4A690A-FA85-4BDA-AA2E-093F726DB7DD", "versionEndExcluding": "22.1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DF2D056-3118-4C31-BEDD-69F016898CBB", "versionEndIncluding": "18.3", "versionStartIncluding": "18.1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*", "matchCriteriaId": "CF34B11F-3DE1-4C22-8EB1-AEE5CE5E4172", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*", "matchCriteriaId": "86F03B63-F922-45CD-A7D1-326DB0042875", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*", "matchCriteriaId": "7CBFC93F-8B39-45A2-981C-59B187169BD4", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*", "matchCriteriaId": "0843465C-F940-4FFC-998D-9A2668B75EA0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*", "matchCriteriaId": "366A6277-5D74-44C8-94A9-8ADB5568B5FB", "versionEndIncluding": "18.3", "versionStartIncluding": "18.1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*", "matchCriteriaId": "F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*", "matchCriteriaId": "18127694-109C-4E7E-AE79-0BA351849291", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*", "matchCriteriaId": "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*", "matchCriteriaId": "0D6895A6-511A-4DC6-9F9B-58E05B86BDB1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "2A3622F5-5976-4BBC-A147-FC8A6431EA79", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D6A4F71A-4269-40FC-8F61-1D1301F2B728", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "5A502118-5B2B-47AE-82EC-1999BD841103", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version \u003c 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0." }, { "lang": "es", "value": "CKEditor4 es un editor HTML WYSIWYG de c\u00f3digo abierto. En la versi\u00f3n afectada se ha detectado una vulnerabilidad en el m\u00f3dulo central de procesamiento de HTML y puede afectar a todos los plugins usados por CKEditor 4. La vulnerabilidad permit\u00eda inyectar comentarios HTML malformados omitiendo el saneo del contenido, lo que pod\u00eda resultar en una ejecuci\u00f3n de c\u00f3digo JavaScript. Afecta a todos los usuarios que usan el CKEditor 4 en las versiones anteriores a 4.17.0. El problema ha sido reconocido y parcheado. La correcci\u00f3n estar\u00e1 disponible en la versi\u00f3n 4.17.0." } ], "id": "CVE-2021-41165", "lastModified": "2024-11-21T06:25:38.867", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "LOW", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L", "version": "3.1" }, "exploitabilityScore": 2.3, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-11-17T20:15:10.273", "references": [ { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://www.drupal.org/sa-core-2021-011" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "security-advisories@github.com", "tags": [ "Not Applicable" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://www.drupal.org/sa-core-2021-011" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Not Applicable" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2018-11-14 20:29
Modified
2024-11-21 03:55
Severity ?
Summary
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
References
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "C2EF5C75-2EE5-4D61-99C7-106E0044FFB1", "versionEndExcluding": "4.11.0", "versionStartIncluding": "4.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste." }, { "lang": "es", "value": "CKEditor en versiones 4.x anteriores a la 4.11.0 permite Cross-Site Scripting (XSS) ayudado por un usuario relacionado con una operaci\u00f3n de pegado en modo origen." } ], "id": "CVE-2018-17960", "lastModified": "2024-11-21T03:55:17.017", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV30": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2018-11-14T20:29:00.433", "references": [ { "source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/109205" }, { "source": "cve@mitre.org", "tags": [ "Exploit", "Vendor Advisory" ], "url": "https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/" }, { "source": "cve@mitre.org", "tags": [ "Vendor Advisory" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.11.0" }, { "source": "cve@mitre.org", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/109205" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Vendor Advisory" ], "url": "https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.11.0" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" } ], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2023-03-22 21:15
Modified
2024-11-21 07:55
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism.
A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
ckeditor | ckeditor | * | |
fedoraproject | fedora | 37 | |
fedoraproject | fedora | 38 | |
fedoraproject | fedora | 39 |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DFC29A5-004B-4815-AF02-37517672D3F1", "versionEndExcluding": "4.21.0", "versionStartIncluding": "4.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `\u003ctextarea\u003e` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism.\n\nA fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page." } ], "id": "CVE-2023-28439", "lastModified": "2024-11-21T07:55:04.157", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 1.6, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2023-03-22T21:15:18.607", "references": [ { "source": "security-advisories@github.com", "tags": [ "Product" ], "url": "https://ckeditor.com/cke4/addon/embed" }, { "source": "security-advisories@github.com", "tags": [ "Product" ], "url": "https://ckeditor.com/cke4/addon/iframe" }, { "source": "security-advisories@github.com", "tags": [ "Vendor Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g" }, { "source": "security-advisories@github.com", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWKG2VCPJNETVCDTXU4X6FQ2PO6XCNGN/" }, { "source": "security-advisories@github.com", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4ODGOW6PYVOXHQSMWJBOCE6DXWAI33W/" }, { "source": "security-advisories@github.com", "tags": [ "Mailing List" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCYKD3JZWWA3ESOZG4PHJJEXT4EYIUIQ/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Product" ], "url": "https://ckeditor.com/cke4/addon/embed" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Product" ], "url": "https://ckeditor.com/cke4/addon/iframe" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWKG2VCPJNETVCDTXU4X6FQ2PO6XCNGN/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4ODGOW6PYVOXHQSMWJBOCE6DXWAI33W/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Mailing List" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCYKD3JZWWA3ESOZG4PHJJEXT4EYIUIQ/" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2022-03-16 17:15
Modified
2024-11-21 06:50
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.
References
Impacted products
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC4BF70E-8D8F-4E6E-87BC-0103C0ED541F", "versionEndExcluding": "4.18.0", "versionStartIncluding": "4.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "40450340-0D4F-4A9F-AADB-1708F844690A", "versionEndExcluding": "9.2.15", "versionStartIncluding": "8.0.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9992D37-51EB-4011-9335-D1653AE2D59B", "versionEndExcluding": "9.3.8", "versionStartIncluding": "9.3.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "48B23728-0050-4AF0-B8B0-A959CBAB4505", "versionEndExcluding": "22.1.1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "C91E0944-A93B-4E6C-9547-4FC1A01DEAC6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "6135501A-3F3C-42BA-B2C4-79403F3510D8", "versionEndIncluding": "8.1.0.0.0", "versionStartIncluding": "8.0.7.0.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "3CC69CF0-6269-40F5-871B-16CFD5EC4C45", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "172BECE8-9626-4910-AAA1-A2FA9C7139E3", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "ACB82398-7281-47CF-81F9-A8A67D9C9DFE", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD9AC3A6-9B91-4B55-A320-A40E95F21058", "versionEndIncluding": "8.1.2.1", "versionStartIncluding": "8.1.1.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "B0EF38D2-EF89-4DBC-B305-1A5D5FC0B186", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "155FF008-1054-4943-B1C3-9117E3E51AC3", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B57ECC6E-CC64-4DE7-B657-3BA54EDDFFF4", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8:*:*:*:enterprise:*:*:*", "matchCriteriaId": "10BBAD37-51A1-4819-807B-2642E9D4A69C", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds." }, { "lang": "es", "value": "CKEditor4 es un editor HTML de c\u00f3digo abierto \"lo que visualizas es lo que obtienes\". CKEditor4 versiones anteriores a 4.18.0, contiene una vulnerabilidad en el plugin \"dialog\". La vulnerabilidad permite abusar de una expresi\u00f3n regular del validador de entrada de di\u00e1logos, lo que puede causar una importante ca\u00edda de rendimiento resultando en una congelaci\u00f3n de la pesta\u00f1a del navegador. Se presenta un parche disponible en versi\u00f3n 4.18.0. Actualmente no se conocen medidas de mitigaci\u00f3n" } ], "id": "CVE-2022-24729", "lastModified": "2024-11-21T06:50:57.993", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2022-03-16T17:15:07.943", "references": [ { "source": "security-advisories@github.com", "tags": [ "Release Notes", "Vendor Advisory" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.18.0" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.drupal.org/sa-core-2022-005" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes", "Vendor Advisory" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.18.0" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.drupal.org/sa-core-2022-005" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-400" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-1333" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2021-08-12 17:15
Modified
2024-11-21 06:07
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
ckeditor | ckeditor | * | |
fedoraproject | fedora | 33 | |
fedoraproject | fedora | 34 | |
fedoraproject | fedora | 35 | |
oracle | application_express | * | |
oracle | banking_party_management | 2.7.0 | |
oracle | commerce_guided_search | 11.3.2 | |
oracle | commerce_merchandising | 11.3.2 | |
oracle | documaker | 12.6.3 | |
oracle | documaker | 12.6.4 | |
oracle | financial_services_analytical_applications_infrastructure | * | |
oracle | jd_edwards_enterpriseone_tools | * | |
oracle | peoplesoft_enterprise_peopletools | 8.57 | |
oracle | peoplesoft_enterprise_peopletools | 8.58 | |
oracle | peoplesoft_enterprise_peopletools | 8.59 |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "6D43BFDE-1C1E-45E3-B275-B6B0BC33E30C", "versionEndExcluding": "4.16.2", "versionStartIncluding": "4.5.2", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "485DEB26-3C1D-4FEC-A9C1-D95BFE3B967E", "versionEndExcluding": "21.1.4", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "C542DC5E-6657-4178-9C69-46FD3C187D56", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "2A3622F5-5976-4BBC-A147-FC8A6431EA79", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "C91E0944-A93B-4E6C-9547-4FC1A01DEAC6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:documaker:12.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "34019365-E6E3-4DBC-89EA-5783A29B61B0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "3A1427F8-50F3-45B2-8836-A80ADA70F431", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "7EA4D3C5-6A7C-4421-88EF-445A96DBCE0C", "versionEndIncluding": "8.1.1", "versionStartIncluding": "8.0.7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "86305E47-33E9-411C-B932-08C395C09982", "versionEndExcluding": "9.2.6.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "matchCriteriaId": "7E1E416B-920B-49A0-9523-382898C2979D", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version \u003e= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2." }, { "lang": "es", "value": "ckeditor es un editor HTML WYSIWYG de c\u00f3digo abierto con soporte de contenido enriquecido. Se ha detectado una potencial vulnerabilidad en el paquete CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard). La vulnerabilidad permit\u00eda abusar de la funcionalidad paste usando HTML malformado, lo que pod\u00eda resultar en la inyecci\u00f3n de HTML arbitrario en el editor. Afecta a todos los usuarios que usen los plugins de CKEditor 4 mencionados anteriormente en las versiones posteriores a 4.5.2 incluy\u00e9ndola. El problema ha sido reconocido y parcheado. La correcci\u00f3n estar\u00e1 disponible en la versi\u00f3n 4.16.2" } ], "id": "CVE-2021-32809", "lastModified": "2024-11-21T06:07:47.520", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "LOW", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-08-12T17:15:08.167", "references": [ { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-94" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2019-11-13 21:15
Modified
2024-11-21 01:33
Severity ?
Summary
hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request.
References
▼ | URL | Tags | |
---|---|---|---|
secalert@redhat.com | http://www.openwall.com/lists/oss-security/2013/06/04/5 | Mailing List, Third Party Advisory | |
secalert@redhat.com | http://www.openwall.com/lists/oss-security/2013/06/04/7 | Mailing List, Third Party Advisory | |
secalert@redhat.com | https://drupal.org/node/1337006 | Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2013/06/04/5 | Mailing List, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2013/06/04/7 | Mailing List, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://drupal.org/node/1337006 | Patch, Third Party Advisory |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.4:*:*:*:*:drupal:*:*", "matchCriteriaId": "D603E623-A4E6-411F-BA65-3391FEA5550A", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request." }, { "lang": "es", "value": "La funci\u00f3n hook_file_download en el m\u00f3dulo CKEditor versiones 7.x-1.4 para Drupal, no restringe correctamente el acceso a archivos privados, lo que permite a atacantes remotos leer archivos privados por medio de una petici\u00f3n directa." } ], "id": "CVE-2011-4972", "lastModified": "2024-11-21T01:33:23.483", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2019-11-13T21:15:11.430", "references": [ { "source": "secalert@redhat.com", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "http://www.openwall.com/lists/oss-security/2013/06/04/5" }, { "source": "secalert@redhat.com", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "http://www.openwall.com/lists/oss-security/2013/06/04/7" }, { "source": "secalert@redhat.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://drupal.org/node/1337006" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "http://www.openwall.com/lists/oss-security/2013/06/04/5" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "http://www.openwall.com/lists/oss-security/2013/06/04/7" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://drupal.org/node/1337006" } ], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-200" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2024-02-07 17:15
Modified
2024-11-21 08:59
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.
References
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6B9E14F-3103-4A78-A337-47786B2B06ED", "versionEndExcluding": "4.24.0", "versionStartIncluding": "4.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version \u003c 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts." }, { "lang": "es", "value": "CKEditor4 es un editor HTML de c\u00f3digo abierto de lo que ves es lo que obtienes. Se descubri\u00f3 una vulnerabilidad de cross-site scripting en versiones anteriores a la 4.24.0-lts en muestras que utilizan la funci\u00f3n \"vista previa\". Todos los integradores que utilicen estos ejemplos en el c\u00f3digo de producci\u00f3n pueden verse afectados. La vulnerabilidad permite a un atacante ejecutar c\u00f3digo JavaScript abusando de la funci\u00f3n de vista previa mal configurada. Afecta a todos los usuarios que utilizan CKEditor 4 en la versi\u00f3n \u0026lt;4.24.0-lts con muestras afectadas utilizadas en un entorno de producci\u00f3n. Hay una soluci\u00f3n disponible en la versi\u00f3n 4.24.0-lts." } ], "id": "CVE-2024-24816", "lastModified": "2024-11-21T08:59:46.490", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2024-02-07T17:15:11.383", "references": [ { "source": "security-advisories@github.com", "tags": [ "Product" ], "url": "https://ckeditor.com/cke4/addon/preview" }, { "source": "security-advisories@github.com", "tags": [ "Patch" ], "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb" }, { "source": "security-advisories@github.com", "tags": [ "Vendor Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Product" ], "url": "https://ckeditor.com/cke4/addon/preview" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2024-02-07 16:15
Modified
2024-11-21 08:59
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.
References
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:lts:*:*:*", "matchCriteriaId": "5070BF32-E186-434A-9640-21D43A3CDA38", "versionEndExcluding": "4.24.0", "versionStartIncluding": "4.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts." }, { "lang": "es", "value": "CKEditor4 es un editor HTML de c\u00f3digo abierto de lo que ves es lo que obtienes. Se ha descubierto una vulnerabilidad de cross-site scripting en el m\u00f3dulo principal de an\u00e1lisis HTML en versiones de CKEditor4 anteriores a la 4.24.0-lts. Puede afectar a todas las instancias del editor que habilitaron el modo de edici\u00f3n de p\u00e1gina completa o habilitaron elementos CDATA en la configuraci\u00f3n de filtrado de contenido avanzado (los elementos predeterminados son `script` y `style`). La vulnerabilidad permite a los atacantes inyectar contenido HTML con formato incorrecto sin pasar por el mecanismo de filtrado de contenido avanzado, lo que podr\u00eda resultar en la ejecuci\u00f3n de c\u00f3digo JavaScript. Un atacante podr\u00eda abusar de la detecci\u00f3n de contenido CDATA defectuosa y utilizarla para preparar un ataque intencional al editor. Hay una soluci\u00f3n disponible en la versi\u00f3n 4.24.0-lts." } ], "id": "CVE-2024-24815", "lastModified": "2024-11-21T08:59:46.343", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2024-02-07T16:15:47.753", "references": [ { "source": "security-advisories@github.com", "tags": [ "Product" ], "url": "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata" }, { "source": "security-advisories@github.com", "tags": [ "Product" ], "url": "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html" }, { "source": "security-advisories@github.com", "tags": [ "Product" ], "url": "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html" }, { "source": "security-advisories@github.com", "tags": [ "Patch" ], "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb" }, { "source": "security-advisories@github.com", "tags": [ "Vendor Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm" }, { "source": "security-advisories@github.com", "url": "https://www.drupal.org/sa-contrib-2024-009" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Product" ], "url": "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Product" ], "url": "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Product" ], "url": "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.drupal.org/sa-contrib-2024-009" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "security-advisories@github.com", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2021-08-13 00:15
Modified
2024-11-21 06:15
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
References
Impacted products
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BEAA71B-F9E5-441E-AB08-E76DAF0A32F8", "versionEndExcluding": "4.16.2", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "485DEB26-3C1D-4FEC-A9C1-D95BFE3B967E", "versionEndExcluding": "21.1.4", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "C542DC5E-6657-4178-9C69-46FD3C187D56", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "2A3622F5-5976-4BBC-A147-FC8A6431EA79", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "C91E0944-A93B-4E6C-9547-4FC1A01DEAC6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:documaker:12.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "34019365-E6E3-4DBC-89EA-5783A29B61B0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "3A1427F8-50F3-45B2-8836-A80ADA70F431", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "7EA4D3C5-6A7C-4421-88EF-445A96DBCE0C", "versionEndIncluding": "8.1.1", "versionStartIncluding": "8.0.7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "F238CB66-886D-47E8-8DC0-7FC2025771EB", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_model_management_and_governance:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D0E8BB8-DB96-48F2-833A-D246193EEDD4", "versionEndIncluding": "8.1.0.0.0", "versionStartIncluding": "8.0.8.0.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "86305E47-33E9-411C-B932-08C395C09982", "versionEndExcluding": "9.2.6.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "matchCriteriaId": "7E1E416B-920B-49A0-9523-382898C2979D", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version \u003c 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2." }, { "lang": "es", "value": "ckeditor es un editor HTML WYSIWYG de c\u00f3digo abierto con soporte de contenido enriquecido.\u0026#xa0;Se ha detectado una vulnerabilidad potencial en el paquete CKEditor 4 [Fake Objects] (https://ckeditor.com/cke4/addon/fakeobjects).\u0026#xa0;La vulnerabilidad permiti\u00f3 inyectar Fake Objects HTML con formato malformado, lo que podr\u00eda resultar en una ejecuci\u00f3n de c\u00f3digo JavaScript.\u0026#xa0;Afecta a todos los usuarios que utilizan los plugins de CKEditor 4 enumerados anteriormente en las versiones anteriores a 4.16.2.\u0026#xa0;El problema ha sido reconocido y solucionado.\u0026#xa0;La correcci\u00f3n estar\u00e1 disponible en la versi\u00f3n 4.16.2." } ], "id": "CVE-2021-37695", "lastModified": "2024-11-21T06:15:43.433", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "LOW", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-08-13T00:15:07.397", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc" }, { "source": "security-advisories@github.com", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2024-08-21 15:15
Modified
2024-08-23 16:20
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts.
References
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:lts:*:*:*", "matchCriteriaId": "C4754AC3-7A7F-4BFA-BD12-066EE0C46FC3", "versionEndExcluding": "4.25.0", "versionStartIncluding": "4.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts." }, { "lang": "es", "value": "CKEditor4 es un editor HTML de c\u00f3digo abierto de lo que ves es lo que obtienes. Se ha descubierto una vulnerabilidad potencial en el complemento GeSHi del fragmento de c\u00f3digo de CKEditor 4. La vulnerabilidad permiti\u00f3 un ataque XSS reflejado al explotar una falla en la librer\u00eda de resaltado de sintaxis GeSHi alojada por la v\u00edctima. La librer\u00eda GeSHi se incluy\u00f3 como dependencia del proveedor en los archivos fuente de CKEditor 4. En un escenario espec\u00edfico, un atacante podr\u00eda crear un script malicioso que podr\u00eda ejecutarse enviando una solicitud a la librer\u00eda GeSHi alojada en un servidor web PHP. La librer\u00eda GeSHi ya no se mantiene activamente. Debido a la falta de soporte y actualizaciones continuas, se han identificado posibles vulnerabilidades de seguridad con su uso continuo. Para mitigar estos riesgos y mejorar la seguridad general de CKEditor 4, hemos decidido eliminar por completo la librer\u00eda GeSHi como dependencia. Este cambio tiene como objetivo mantener un entorno seguro y reducir el riesgo de incidentes de seguridad relacionados con software desactualizado o sin soporte. La soluci\u00f3n estar\u00e1 disponible en la versi\u00f3n 4.25.0-lts." } ], "id": "CVE-2024-43407", "lastModified": "2024-08-23T16:20:42.363", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2024-08-21T15:15:09.397", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch" ], "url": "https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94" }, { "source": "security-advisories@github.com", "tags": [ "Patch" ], "url": "https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa" }, { "source": "security-advisories@github.com", "tags": [ "Vendor Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2012-09-05 00:55
Modified
2024-11-21 01:38
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
Impacted products
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.1:*:*:*:*:*:*:*", "matchCriteriaId": "44B163FD-1FE9-48C4-B0AA-DD50847FF1F0", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.1:beta:*:*:*:*:*:*", "matchCriteriaId": "F76C9A2D-841B-40B2-9B20-3D19B8E4D599", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.1:beta2:*:*:*:*:*:*", "matchCriteriaId": "5F296BCB-1010-47CD-8710-CB2B811A2CCF", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.2:*:*:*:*:*:*:*", "matchCriteriaId": "0B350AE9-4072-4E78-B891-693E83A10B68", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.2-1:*:*:*:*:*:*:*", "matchCriteriaId": "1CBBEAAF-31FB-4EFB-971A-FB6A0A7D237F", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:*:*:*:*:*:*:*", "matchCriteriaId": "09808721-056C-4BE8-8BFB-D31D6F95C751", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:beta:*:*:*:*:*:*", "matchCriteriaId": "9AEB8F31-C6F3-45D1-95C3-D9F4DE8A011F", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:beta2:*:*:*:*:*:*", "matchCriteriaId": "423F1192-70EB-4EA8-8FD2-4DD913513311", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "D21FCEAD-0D7B-4B9B-995F-9DC0B59D9EC5", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "C31D54C7-B2F6-44F5-A7EE-1256F69561A4", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc3:*:*:*:*:*:*", "matchCriteriaId": "169C2734-5A10-4486-8329-1B4C99377F34", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc5:*:*:*:*:*:*", "matchCriteriaId": "D2A96BDD-CE2A-468B-BA11-420013FD962A", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc6:*:*:*:*:*:*", "matchCriteriaId": "D36AA137-0B92-4C0C-A110-689CD1D8B13C", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc7:*:*:*:*:*:*", "matchCriteriaId": "7B9AF995-8E15-49E5-A999-D46F4021DF9A", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.4:*:*:*:*:*:*:*", "matchCriteriaId": "5E35468C-4F35-44CA-AB5A-B744DAAEA5A5", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "9BC0703D-CC61-4035-BD4F-4FA225E91247", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.4:rc2:*:*:*:*:*:*", "matchCriteriaId": "053CB577-FAA9-4C52-9F70-79EAB0EF2C7F", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-1.x:dev:*:*:*:*:*:*", "matchCriteriaId": "80718F1B-01E0-470C-A64B-FE6EF21E7B33", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:*:*:*:*:*:*:*", "matchCriteriaId": "3972DA1A-AB39-40C0-B07A-C78A14F4BE9F", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "6D692A34-334E-4EF6-A9A2-00E0DBCBF8F2", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "7D8493A8-16C7-4A86-B117-5D6960672A26", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "16A838C7-F87F-4700-978A-CBE29CC05778", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "4204743A-1AF1-453E-816B-89B789421157", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "ACC858F4-915F-4269-89F4-5850E89D95B0", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "CC2E4995-E98D-4EBA-8F68-8D1AC8013220", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "2A4AF219-9088-4AF2-8B59-D72B5B8E0EEF", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "46BDEF08-D257-47BF-8A43-9968C2B8EF5B", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "5A9FB606-1EF7-4503-839F-4C1C5128C690", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "D368C7DA-85EA-4B80-AFF8-20FFE4CCD410", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.1:*:*:*:*:*:*:*", "matchCriteriaId": "7E725F77-8490-42E5-B4C2-A905375819EE", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "19315A5D-A5B4-48A2-9823-E7D079578FF7", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.2:*:*:*:*:*:*:*", "matchCriteriaId": "C9E1CF58-3074-4917-953A-7B553D42A22B", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "D877BB1B-FDDF-4E32-A708-5C4EF293895B", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.3:*:*:*:*:*:*:*", "matchCriteriaId": "2D6AF3DE-116C-4C48-9122-A0AB461F3DA7", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:fckeditor:6.x-2.x:dev:*:*:*:*:*:*", "matchCriteriaId": "69A13208-719D-4627-BA30-2EE9D7D3D911", "vulnerable": true } ], "negate": false, "operator": "OR" }, { "cpeMatch": [ { "criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF", "vulnerable": false } ], "negate": false, "operator": "OR" } ], "operator": "AND" }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.0:*:*:*:*:*:*:*", "matchCriteriaId": "80ACD9BA-BFAA-4421-BF46-FACC1D8EB66C", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "7B8252BB-5C2D-40B1-971E-B170DF5D8583", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.1:*:*:*:*:*:*:*", "matchCriteriaId": "7DD74EB7-12C7-495B-86D8-A63FB853A99E", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.2:*:*:*:*:*:*:*", "matchCriteriaId": "39FE612F-4CAC-4D3B-85D2-49201BE699F0", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.3:*:*:*:*:*:*:*", "matchCriteriaId": "81515584-8CA5-445C-9396-90236B215104", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.4:*:*:*:*:*:*:*", "matchCriteriaId": "3240117F-7FB4-495C-9CAF-7A902499B3D3", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.5:*:*:*:*:*:*:*", "matchCriteriaId": "ED7C7988-B82E-4BB0-B966-E2D5BFB09E69", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.6:*:*:*:*:*:*:*", "matchCriteriaId": "4D62BBD9-C702-4BEA-B8A9-960B31630EA3", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.7:*:*:*:*:*:*:*", "matchCriteriaId": "61D011F9-21E1-4B47-94D9-68F9E1DF92B2", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:6.x-1.x:dev:*:*:*:*:*:*", "matchCriteriaId": "7F2EA237-1B55-49F3-B95C-6FAAA28901C8", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.0:*:*:*:*:*:*:*", "matchCriteriaId": "42B69434-2F6F-4D0F-ADB9-FD7BD8A2B296", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "C3398A12-5E6D-4E6B-80B1-D8C177FA8168", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.1:*:*:*:*:*:*:*", "matchCriteriaId": "6F74FCCC-4DAC-40DE-AA3C-8A77D8250EFA", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.2:*:*:*:*:*:*:*", "matchCriteriaId": "73BF8196-B275-4C69-BE33-3F8D8865D8A0", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.3:*:*:*:*:*:*:*", "matchCriteriaId": "0A64FD18-5402-4971-8483-95CF3535B019", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.4:*:*:*:*:*:*:*", "matchCriteriaId": "672ACFFD-70C6-457F-BF5B-9B85CCB08959", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.5:*:*:*:*:*:*:*", "matchCriteriaId": "8B4D96C8-18E7-45B5-A107-CBFBFF6D2C85", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.6:*:*:*:*:*:*:*", "matchCriteriaId": "5DB70B6B-3ECC-459D-98DA-0BB76AE9296D", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:7.x-1.x:dev:*:*:*:*:*:*", "matchCriteriaId": "07087627-FA8A-4E3B-8509-B1A2E4E864B5", "vulnerable": true } ], "negate": false, "operator": "OR" }, { "cpeMatch": [ { "criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF", "vulnerable": false } ], "negate": false, "operator": "OR" } ], "operator": "AND" } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web script or HTML via unspecified vectors." }, { "lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n de c\u00f3digo en sitios cruzados (XSS) en el m\u00f3dulo FCKeditor v6.x-2.x anterior a v6.x-2.3 y el m\u00f3dulo CKEditor v6.x-1.x anterior a v6.x-1.9 y v77.x-1.x anterior a v7.x-1.7 para Drupal permite a usuarios remotos autenticados o atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de vectores no especificados." } ], "id": "CVE-2012-2066", "lastModified": "2024-11-21T01:38:25.357", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ] }, "published": "2012-09-05T00:55:15.137", "references": [ { "source": "secalert@redhat.com", "tags": [ "Patch" ], "url": "http://drupal.org/node/1482442" }, { "source": "secalert@redhat.com", "tags": [ "Patch" ], "url": "http://drupal.org/node/1482466" }, { "source": "secalert@redhat.com", "tags": [ "Patch" ], "url": "http://drupal.org/node/1482480" }, { "source": "secalert@redhat.com", "tags": [ "Patch", "Vendor Advisory" ], "url": "http://drupal.org/node/1482528" }, { "source": "secalert@redhat.com", "tags": [ "Vendor Advisory" ], "url": "http://secunia.com/advisories/48435" }, { "source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1" }, { "source": "secalert@redhat.com", "url": "http://www.osvdb.org/80079" }, { "source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74036" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "http://drupal.org/node/1482442" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "http://drupal.org/node/1482466" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "http://drupal.org/node/1482480" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Vendor Advisory" ], "url": "http://drupal.org/node/1482528" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ], "url": "http://secunia.com/advisories/48435" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/04/07/1" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.osvdb.org/80079" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74036" } ], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2021-08-12 17:15
Modified
2024-11-21 06:07
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
ckeditor | ckeditor | * | |
fedoraproject | fedora | 33 | |
fedoraproject | fedora | 34 | |
fedoraproject | fedora | 35 | |
oracle | application_express | * | |
oracle | banking_party_management | 2.7.0 | |
oracle | commerce_guided_search | 11.3.2 | |
oracle | commerce_merchandising | 11.3.2 | |
oracle | documaker | 12.6.3 | |
oracle | documaker | 12.6.4 | |
oracle | financial_services_analytical_applications_infrastructure | * | |
oracle | financial_services_model_management_and_governance | 8.0.8.0.0 | |
oracle | financial_services_model_management_and_governance | 8.1.0.0.0 | |
oracle | jd_edwards_enterpriseone_tools | * | |
oracle | peoplesoft_enterprise_peopletools | 8.57 | |
oracle | peoplesoft_enterprise_peopletools | 8.58 | |
oracle | peoplesoft_enterprise_peopletools | 8.59 | |
oracle | siebel_ui_framework | * | |
oracle | webcenter_sites | 12.2.1.3.0 | |
oracle | webcenter_sites | 12.2.1.4.0 |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "041A9BB3-14C9-4038-AA5B-F30EC249DA40", "versionEndExcluding": "4.16.2", "versionStartIncluding": "4.13.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "485DEB26-3C1D-4FEC-A9C1-D95BFE3B967E", "versionEndExcluding": "21.1.4", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "C542DC5E-6657-4178-9C69-46FD3C187D56", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "2A3622F5-5976-4BBC-A147-FC8A6431EA79", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "C91E0944-A93B-4E6C-9547-4FC1A01DEAC6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:documaker:12.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "34019365-E6E3-4DBC-89EA-5783A29B61B0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "3A1427F8-50F3-45B2-8836-A80ADA70F431", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "7EA4D3C5-6A7C-4421-88EF-445A96DBCE0C", "versionEndIncluding": "8.1.1", "versionStartIncluding": "8.0.7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.0.8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "F033C6C8-61D9-41ED-94E6-63BE7BA22EFC", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.0.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "4B829B72-7DE0-415F-A1AF-51637F134B76", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "9722362B-027B-4311-8F3A-287AE1199019", "versionEndIncluding": "9.2.6.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "matchCriteriaId": "7E1E416B-920B-49A0-9523-382898C2979D", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "90605BF7-9C9B-4AC2-83B6-3666C5A15D43", "versionEndIncluding": "21.9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D551CAB1-4312-44AA-BDA8-A030817E153A", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "174A6D2E-E42E-4C92-A194-C6A820CD7EF4", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version \u003e= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2." }, { "lang": "es", "value": "ckeditor es un editor HTML WYSIWYG de c\u00f3digo abierto con soporte de contenido enriquecido. Se ha detectado una vulnerabilidad en el plugin Widget del portapapeles si es usado junto con la funcionalidad undo. La vulnerabilidad permite a un usuario abusar de la funcionalidad undo usando HTML malformado del widget, lo que podr\u00eda resultar en una ejecuci\u00f3n de c\u00f3digo JavaScript. Afecta a todos los usuarios que usen los plugins de CKEditor 4 mencionados anteriormente en las versiones posteriores a 4.13.0 incluy\u00e9ndola. El problema ha sido reconocido y parcheado. La correcci\u00f3n estar\u00e1 disponible en la versi\u00f3n 4.16.2" } ], "id": "CVE-2021-32808", "lastModified": "2024-11-21T06:07:47.340", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "LOW", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-08-12T17:15:08.047", "references": [ { "source": "security-advisories@github.com", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2021-01-26 21:15
Modified
2024-11-21 05:56
Severity ?
Summary
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
ckeditor | ckeditor | * | |
oracle | agile_plm | 9.3.5 | |
oracle | agile_plm | 9.3.6 | |
oracle | application_express | * | |
oracle | banking_party_management | 2.7.0 | |
oracle | commerce_merchandising | * | |
oracle | commerce_merchandising | 11.1.0 | |
oracle | commerce_merchandising | 11.2.0 | |
oracle | financial_services_analytical_applications_infrastructure | * | |
oracle | financial_services_analytical_applications_infrastructure | 8.1.0 | |
oracle | financial_services_analytical_applications_infrastructure | 8.1.1 | |
oracle | financial_services_model_management_and_governance | * | |
oracle | jd_edwards_enterpriseone_tools | * | |
oracle | siebel_ui_framework | * | |
oracle | webcenter_sites | 12.2.1.3.0 | |
oracle | webcenter_sites | 12.2.1.4.0 |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C5F969A-06A2-4D84-B7DF-1CE68E285C0F", "versionEndExcluding": "4.16", "versionStartIncluding": "4.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "ED43772F-D280-42F6-A292-7198284D6FE7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B4D758F-EABD-498C-9C9E-C3F35927F7DC", "versionEndExcluding": "21.1.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "C542DC5E-6657-4178-9C69-46FD3C187D56", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:*:*:*:*:*:*:*:*", "matchCriteriaId": "E10F540D-8AAF-42D4-B06A-573C5DC3CC44", "versionEndIncluding": "11.3.2", "versionStartIncluding": "11.3.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:11.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "9B7F80B8-08DC-4263-AB44-1653ED1FEFE3", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:11.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "4C65F9D9-AD7B-47B8-8943-79CEA6A95AD6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "40F940AA-05BE-426C-89A3-4098E107D9A7", "versionEndIncluding": "8.0.9", "versionStartIncluding": "8.0.6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6FB8AE1F-FA6B-4A5E-AA5B-D0B7C78FE886", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "41C2C67B-BF55-4B48-A94D-1F37A4FAC68C", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_model_management_and_governance:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D0E8BB8-DB96-48F2-833A-D246193EEDD4", "versionEndIncluding": "8.1.0.0.0", "versionStartIncluding": "8.0.8.0.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "86305E47-33E9-411C-B932-08C395C09982", "versionEndExcluding": "9.2.6.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "90605BF7-9C9B-4AC2-83B6-3666C5A15D43", "versionEndIncluding": "21.9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D551CAB1-4312-44AA-BDA8-A030817E153A", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "174A6D2E-E42E-4C92-A194-C6A820CD7EF4", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin)." }, { "lang": "es", "value": "Era posible ejecutar un ataque de tipo ReDoS dentro de CKEditor 4 versiones anteriores a 4.16, al persuadir a una v\u00edctima para pegar un texto similar a una URL en el editor y luego presionar Enter o Space (en el plugin Autolink)" } ], "id": "CVE-2021-26272", "lastModified": "2024-11-21T05:56:00.900", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-01-26T21:15:12.923", "references": [ { "source": "cve@mitre.org", "tags": [ "Vendor Advisory" ], "url": "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first" }, { "source": "cve@mitre.org", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416" }, { "source": "cve@mitre.org", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "source": "cve@mitre.org", "tags": [ "Not Applicable", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "cve@mitre.org", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ], "url": "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Not Applicable", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-829" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2023-02-13 20:15
Modified
2024-11-21 07:32
Severity ?
Summary
CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false).
References
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:35.4.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "F2BA326D-74B1-4665-9DE4-5F5E85D4741A", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [ { "sourceIdentifier": "cve@mitre.org", "tags": [ "disputed" ] } ], "descriptions": [ { "lang": "en", "value": "CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor\u0027s position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false)." }, { "lang": "es", "value": "Se descubri\u00f3 que CKSource CKEditor 5 35.4.0 contiene una vulnerabilidad de cross-site scripting (XSS) a trav\u00e9s del widget CKEditor5 con todas las funciones. NOTA: la posici\u00f3n del proveedor es que esto no es una vulnerabilidad. La documentaci\u00f3n de CKEditor 5 analiza que es responsabilidad de un integrador (que agrega la funcionalidad de CKEditor 5 a un sitio web) elegir la configuraci\u00f3n de seguridad correcta para su caso de uso. Adem\u00e1s, se establecen valores predeterminados seguros (por ejemplo, config.htmlEmbed.showPreviews es falso)." } ], "id": "CVE-2022-48110", "lastModified": "2024-11-21T07:32:50.707", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2023-02-13T20:15:10.820", "references": [ { "source": "cve@mitre.org", "tags": [ "Vendor Advisory" ], "url": "https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html" }, { "source": "cve@mitre.org", "tags": [ "Broken Link" ], "url": "https://packetstormsecurity.com/files/170927/CKSource-CKEditor5-35.4.0-Cross-Site-Scripting.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ], "url": "https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Broken Link" ], "url": "https://packetstormsecurity.com/files/170927/CKSource-CKEditor5-35.4.0-Cross-Site-Scripting.html" } ], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2020-03-07 01:15
Modified
2024-11-21 05:40
Severity ?
Summary
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
ckeditor | ckeditor | * | |
fedoraproject | fedora | 30 | |
fedoraproject | fedora | 31 | |
fedoraproject | fedora | 32 | |
drupal | drupal | * | |
drupal | drupal | * | |
oracle | agile_plm | 9.3.5 | |
oracle | agile_plm | 9.3.6 | |
oracle | application_express | * | |
oracle | jd_edwards_enterpriseone_tools | * | |
oracle | peoplesoft_enterprise_peopletools | - | |
oracle | peoplesoft_enterprise_peopletools | 8.56 | |
oracle | peoplesoft_enterprise_peopletools | 8.57 | |
oracle | peoplesoft_enterprise_peopletools | 8.58 | |
oracle | siebel_apps_-_customer_order_management | * | |
oracle | webcenter_portal | 11.1.1.9.0 | |
oracle | webcenter_portal | 12.2.1.3.0 | |
oracle | webcenter_portal | 12.2.1.4.0 | |
oracle | banking_enterprise_default_management | 2.6.2 | |
oracle | banking_enterprise_default_management | 2.7.0 | |
oracle | banking_enterprise_default_management | 2.7.1 | |
oracle | banking_enterprise_default_management | 2.10.0 | |
oracle | banking_enterprise_default_management | 2.12.0 | |
oracle | banking_enterprise_default_managment | * |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD2A80E8-E9A1-4C53-8CA1-7961EEBF5484", "versionEndExcluding": "4.14", "versionStartIncluding": "4.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C94963F-9771-4519-8D82-4EE9430BF3E7", "versionEndExcluding": "8.7.12", "versionStartIncluding": "8.7.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7974503-263F-4534-8895-DDF0866F0D61", "versionEndExcluding": "8.8.4", "versionStartIncluding": "8.8.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "ED43772F-D280-42F6-A292-7198284D6FE7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "96FC5AC6-88AC-4C4D-8692-7489D6DE8E16", "versionEndExcluding": "20.2", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0F00658-CE6C-4198-BE33-435BD67761E5", "versionEndExcluding": "9.2.5.2", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:-:*:*:*:*:*:*:*", "matchCriteriaId": "35070A11-340A-449E-B5FA-B8769C5EA2A2", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*", "matchCriteriaId": "D0A735B4-4F3C-416B-8C08-9CB21BAD2889", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "matchCriteriaId": "7E1E416B-920B-49A0-9523-382898C2979D", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:siebel_apps_-_customer_order_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6443929-70D6-4C9A-AF95-EFFD34E388FC", "versionEndExcluding": "21.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "D7756147-7168-4E03-93EE-31379F6BE88E", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D6A4F71A-4269-40FC-8F61-1D1301F2B728", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "5A502118-5B2B-47AE-82EC-1999BD841103", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "E60C0966-BF0D-4D18-B09B-5D0BB96DBFF3", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "E0FCD3BC-33D8-49D1-844B-6B9DE0CA4997", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "473749BD-267E-480F-8E7F-C762702DB66E", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "74C7E2F1-17FC-4322-A5C3-F7EB612BA4F5", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "320D36DA-D99F-4149-B582-3F4AB2F41A1B", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_enterprise_default_managment:*:*:*:*:*:*:*:*", "matchCriteriaId": "05E4EB25-7B7A-4A10-A535-8C7CA4D6FEB6", "versionEndIncluding": "2.4.0", "versionStartIncluding": "2.3.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted \"protected\" comment (with the cke_protected syntax)." }, { "lang": "es", "value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en el HTML Data Processor for CKEditor versiones 4.0 anteriores a 4.14, permite a atacantes remotos inyectar script web arbitrario por medio de un comentario \"protected\" dise\u00f1ado (con la sintaxis cke_protected)." } ], "id": "CVE-2020-9281", "lastModified": "2024-11-21T05:40:20.923", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2020-03-07T01:15:15.517", "references": [ { "source": "cve@mitre.org", "tags": [ "Product", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4" }, { "source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/" }, { "source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/" }, { "source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/" }, { "source": "cve@mitre.org", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "source": "cve@mitre.org", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "source": "cve@mitre.org", "tags": [ "Patch", "Vendor Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "cve@mitre.org", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "source": "cve@mitre.org", "tags": [ "Not Applicable", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Product", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Vendor Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Not Applicable", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2021-06-09 12:15
Modified
2024-11-21 06:09
Severity ?
Summary
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
ckeditor | ckeditor | * | |
fedoraproject | fedora | 33 | |
fedoraproject | fedora | 34 | |
fedoraproject | fedora | 35 | |
drupal | drupal | * | |
drupal | drupal | * | |
drupal | drupal | * | |
debian | debian_linux | 9.0 |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFFB5240-2238-488D-B690-7C2CA9630212", "versionEndExcluding": "4.16.1", "versionStartIncluding": "4.14.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D3D5EBD-1B9B-468E-9CBF-01F54FA8C2F9", "versionEndExcluding": "8.9.16", "versionStartIncluding": "8.9.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "AFA9B1A2-DF65-4E25-8CB1-E042734BDCBC", "versionEndExcluding": "9.0.14", "versionStartIncluding": "9.0.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "C36AE9CA-FAB9-40C7-AF1B-960C947D4DF4", "versionEndExcluding": "9.1.9", "versionStartIncluding": "9.1.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!\u003e is mishandled." }, { "lang": "es", "value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en el Procesador de Datos HTML en CKEditor versiones 4 4.14.0 hasta 4.16.x versiones anteriores a 4.16.1, permite a atacantes remotos inyectar c\u00f3digo JavaScript ejecutable mediante un comentario dise\u00f1ado porque -!\u0026gt; No es manejado apropiadamente" } ], "id": "CVE-2021-33829", "lastModified": "2024-11-21T06:09:38.707", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-06-09T12:15:07.863", "references": [ { "source": "cve@mitre.org", "tags": [ "Patch", "Release Notes", "Vendor Advisory" ], "url": "https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser" }, { "source": "cve@mitre.org", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html" }, { "source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "source": "cve@mitre.org", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.drupal.org/sa-core-2021-003" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Release Notes", "Vendor Advisory" ], "url": "https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.drupal.org/sa-core-2021-003" } ], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2020-11-12 21:15
Modified
2024-11-21 05:20
Severity ?
Summary
A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
ckeditor | ckeditor | 4.15.0 | |
oracle | agile_plm | 9.3.5 | |
oracle | agile_plm | 9.3.6 | |
oracle | application_express | * | |
oracle | banking_party_management | 2.7.0 | |
oracle | banking_platform | 2.4.0 | |
oracle | banking_platform | 2.7.0 | |
oracle | banking_platform | 2.7.1 | |
oracle | banking_platform | 2.8.0 | |
oracle | banking_platform | 2.9.0 | |
oracle | commerce_merchandising | 11.0.0 | |
oracle | commerce_merchandising | 11.1.0 | |
oracle | commerce_merchandising | 11.2.0 | |
oracle | commerce_merchandising | 11.3.0 | |
oracle | commerce_merchandising | 11.3.1 | |
oracle | commerce_merchandising | 11.3.2 | |
oracle | financial_services_analytical_applications_infrastructure | * | |
oracle | financial_services_analytical_applications_infrastructure | 8.1.0 | |
oracle | financial_services_analytical_applications_infrastructure | 8.1.1 | |
oracle | jd_edwards_enterpriseone_tools | * | |
oracle | peoplesoft_enterprise_peopletools | 8.56 | |
oracle | peoplesoft_enterprise_peopletools | 8.57 | |
oracle | peoplesoft_enterprise_peopletools | 8.58 |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:4.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "11FB2D9A-A2A3-40BC-98DF-F227851FA30E", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "ED43772F-D280-42F6-A292-7198284D6FE7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F02ECEF-AC7D-4C4C-9A95-890D135F7286", "versionEndExcluding": "21.1.0.00.01", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "C542DC5E-6657-4178-9C69-46FD3C187D56", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "C2BEE49E-A5AA-42D3-B422-460454505480", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "282150FF-C945-4A3E-8A80-E8757A8907EA", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "645AA3D1-C8B5-4CD2-8ACE-31541FA267F0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "FBCE22C0-4253-40A5-89AE-499A3BC9EFF3", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "AB9FC9AB-1070-420F-870E-A5EC43A924A4", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:11.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B5989E02-5612-4E7F-958F-9292CBBA1D2A", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:11.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "9B7F80B8-08DC-4263-AB44-1653ED1FEFE3", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:11.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "4C65F9D9-AD7B-47B8-8943-79CEA6A95AD6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:11.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "888A8458-7E66-4BDB-998A-EE3A9253499A", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:11.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "011EA344-1A80-4482-A505-65C83D21E5B3", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "C91E0944-A93B-4E6C-9547-4FC1A01DEAC6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "40F940AA-05BE-426C-89A3-4098E107D9A7", "versionEndIncluding": "8.0.9", "versionStartIncluding": "8.0.6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6FB8AE1F-FA6B-4A5E-AA5B-D0B7C78FE886", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "41C2C67B-BF55-4B48-A94D-1F37A4FAC68C", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "86305E47-33E9-411C-B932-08C395C09982", "versionEndExcluding": "9.2.6.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*", "matchCriteriaId": "D0A735B4-4F3C-416B-8C08-9CB21BAD2889", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "matchCriteriaId": "7E1E416B-920B-49A0-9523-382898C2979D", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs." }, { "lang": "es", "value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en el plugin Color Dialog para CKEditor versi\u00f3n 4.15.0, permite a atacantes remotos ejecutar script web arbitrario despu\u00e9s de persuadir a un usuario para que copie y pegue c\u00f3digo HTML dise\u00f1ado en una de las entradas del editor" } ], "id": "CVE-2020-27193", "lastModified": "2024-11-21T05:20:50.663", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2020-11-12T21:15:11.107", "references": [ { "source": "cve@mitre.org", "tags": [ "Release Notes", "Vendor Advisory" ], "url": "https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/" }, { "source": "cve@mitre.org", "tags": [ "Release Notes", "Vendor Advisory" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.15.1" }, { "source": "cve@mitre.org", "tags": [ "Release Notes", "Vendor Advisory" ], "url": "https://ckeditor.com/ckeditor-4/download/" }, { "source": "cve@mitre.org", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "source": "cve@mitre.org", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "source": "cve@mitre.org", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes", "Vendor Advisory" ], "url": "https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes", "Vendor Advisory" ], "url": "https://ckeditor.com/cke4/release/CKEditor-4.15.1" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes", "Vendor Advisory" ], "url": "https://ckeditor.com/ckeditor-4/download/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2020-03-10 17:15
Modified
2024-11-21 05:40
Severity ?
Summary
A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
ckeditor | ckeditor | 4.0 | |
webspellchecker | webspellchecker | * | |
fedoraproject | fedora | 30 | |
fedoraproject | fedora | 31 | |
fedoraproject | fedora | 32 |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "5C89EC56-786D-40AB-AC0B-C8C77A056F22", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:webspellchecker:webspellchecker:*:*:*:*:*:*:*:*", "matchCriteriaId": "8CF738E0-968F-4DFD-B908-DDFDC006F6AB", "versionEndIncluding": "5.5.7.5", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor." }, { "lang": "es", "value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en el pluging WSC versiones hasta la versi\u00f3n 5.5.7.5 para CKEditor 4, permite a atacantes remotos ejecutar script web arbitrario dentro de un elemento IFRAME mediante la inyecci\u00f3n de un elemento HTML especialmente dise\u00f1ado en el editor." } ], "id": "CVE-2020-9440", "lastModified": "2024-11-21T05:40:38.910", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2020-03-10T17:15:13.207", "references": [ { "source": "cve@mitre.org", "tags": [ "Vendor Advisory" ], "url": "https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed" }, { "source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/" }, { "source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/" }, { "source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ], "url": "https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/" } ], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2014-08-07 11:13
Modified
2024-11-21 02:11
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
Impacted products
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "09B89F11-D1ED-41DF-8AA7-907D9B36C56D", "versionEndIncluding": "4.4.2", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:4.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "F8FEA9F6-DDAA-4883-BC0D-415DBC827272", "vulnerable": true }, { "criteria": "cpe:2.3:a:ckeditor:ckeditor:4.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "EBA4A112-D497-49CC-B204-A628A00852A2", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors." }, { "lang": "es", "value": "Vulnerabilidad de XSS en el plugin Preview anterior a 4.4.3 en CKEditor permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores no especificados." } ], "id": "CVE-2014-5191", "lastModified": "2024-11-21T02:11:35.260", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ] }, "published": "2014-08-07T11:13:37.063", "references": [ { "source": "cve@mitre.org", "tags": [ "Patch", "Vendor Advisory" ], "url": "http://ckeditor.com/node/136981" }, { "source": "cve@mitre.org", "url": "http://secunia.com/advisories/60036" }, { "source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/69161" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Vendor Advisory" ], "url": "http://ckeditor.com/node/136981" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/60036" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/69161" } ], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2023-06-13 17:15
Modified
2025-01-03 20:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server.
References
▼ | URL | Tags | |
---|---|---|---|
cve@mitre.org | http://redmine.com | Broken Link | |
cve@mitre.org | http://redmineckeditor.com | Broken Link | |
cve@mitre.org | https://github.com/DreamD2v/CVE-2023-31541/blob/main/CVE-2023-31541.md | Exploit, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | http://redmine.com | Broken Link | |
af854a3a-2127-422b-91ae-364da2661108 | http://redmineckeditor.com | Broken Link | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/DreamD2v/CVE-2023-31541/blob/main/CVE-2023-31541.md | Exploit, Third Party Advisory |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:1.2.3:*:*:*:*:redmine:*:*", "matchCriteriaId": "F8ED9F26-7429-434C-8FD9-5D1C6825DEB9", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A unrestricted file upload vulnerability was discovered in the \u2018Browse and upload images\u2019 feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server." } ], "id": "CVE-2023-31541", "lastModified": "2025-01-03T20:15:26.650", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ] }, "published": "2023-06-13T17:15:14.810", "references": [ { "source": "cve@mitre.org", "tags": [ "Broken Link" ], "url": "http://redmine.com" }, { "source": "cve@mitre.org", "tags": [ "Broken Link" ], "url": "http://redmineckeditor.com" }, { "source": "cve@mitre.org", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://github.com/DreamD2v/CVE-2023-31541/blob/main/CVE-2023-31541.md" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Broken Link" ], "url": "http://redmine.com" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Broken Link" ], "url": "http://redmineckeditor.com" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://github.com/DreamD2v/CVE-2023-31541/blob/main/CVE-2023-31541.md" } ], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-434" } ], "source": "nvd@nist.gov", "type": "Primary" }, { "description": [ { "lang": "en", "value": "CWE-434" } ], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ] }
Vulnerability from fkie_nvd
Published
2021-11-17 19:15
Modified
2024-11-21 06:25
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
ckeditor | ckeditor | * | |
drupal | drupal | * | |
drupal | drupal | * | |
drupal | drupal | * | |
oracle | banking_apis | * | |
oracle | banking_apis | 19.1 | |
oracle | banking_apis | 19.2 | |
oracle | banking_apis | 20.1 | |
oracle | banking_apis | 21.1 | |
oracle | banking_digital_experience | * | |
oracle | banking_digital_experience | 19.1 | |
oracle | banking_digital_experience | 19.2 | |
oracle | banking_digital_experience | 20.1 | |
oracle | banking_digital_experience | 21.1 | |
oracle | agile_plm | 9.3.6 | |
oracle | application_express | * | |
oracle | commerce_guided_search | 11.3.2 | |
oracle | peoplesoft_enterprise_peopletools | 8.58 | |
oracle | peoplesoft_enterprise_peopletools | 8.59 | |
oracle | webcenter_portal | 12.2.1.3.0 | |
oracle | webcenter_portal | 12.2.1.4.0 | |
fedoraproject | fedora | 36 | |
fedoraproject | fedora | 37 |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0CAD700-EEEB-4A88-902D-40A62BD7C2D9", "versionEndExcluding": "4.17.0", "versionStartIncluding": "4.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "32968913-E57B-4EF5-AA96-AECED07BE717", "versionEndExcluding": "8.9.20", "versionStartIncluding": "8.9.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D676052-0F9B-4E07-A256-AF075939F05E", "versionEndExcluding": "9.1.14", "versionStartIncluding": "9.1.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1734889-5F48-4F5F-A579-5FFAB4A4B67F", "versionEndExcluding": "9.2.9", "versionStartIncluding": "9.2.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DF2D056-3118-4C31-BEDD-69F016898CBB", "versionEndIncluding": "18.3", "versionStartIncluding": "18.1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*", "matchCriteriaId": "CF34B11F-3DE1-4C22-8EB1-AEE5CE5E4172", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*", "matchCriteriaId": "86F03B63-F922-45CD-A7D1-326DB0042875", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*", "matchCriteriaId": "7CBFC93F-8B39-45A2-981C-59B187169BD4", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*", "matchCriteriaId": "0843465C-F940-4FFC-998D-9A2668B75EA0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*", "matchCriteriaId": "366A6277-5D74-44C8-94A9-8ADB5568B5FB", "versionEndIncluding": "18.3", "versionStartIncluding": "18.1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*", "matchCriteriaId": "F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*", "matchCriteriaId": "18127694-109C-4E7E-AE79-0BA351849291", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*", "matchCriteriaId": "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*", "matchCriteriaId": "0D6895A6-511A-4DC6-9F9B-58E05B86BDB1", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD4A690A-FA85-4BDA-AA2E-093F726DB7DD", "versionEndExcluding": "22.1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "2A3622F5-5976-4BBC-A147-FC8A6431EA79", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D6A4F71A-4269-40FC-8F61-1D1301F2B728", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "5A502118-5B2B-47AE-82EC-1999BD841103", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true }, { "criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version \u003c 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0." }, { "lang": "es", "value": "CKEditor4 es un editor HTML WYSIWYG de c\u00f3digo abierto.\u0026#xa0;En las versiones afectadas, se detect\u00f3 una vulnerabilidad en el m\u00f3dulo Advanced Content Filter (ACF) y puede afectar a todos los plugins utilizados por CKEditor 4. La vulnerabilidad permit\u00eda inyectar HTML mal formado sin pasar por el saneamiento del contenido, lo que podr\u00eda resultar en una la ejecuci\u00f3n de c\u00f3digo JavaScript.\u0026#xa0;Afecta a todos los usuarios que utilizan CKEditor 4 en versiones anteriores a 4.17.0.\u0026#xa0;El problema ha sido reconocido y parcheado.\u0026#xa0;La correcci\u00f3n estar\u00e1 disponible en la versi\u00f3n 4.17.0" } ], "id": "CVE-2021-41164", "lastModified": "2024-11-21T06:25:38.570", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "LOW", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L", "version": "3.1" }, "exploitabilityScore": 2.3, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-11-17T19:15:08.913", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/" }, { "source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://www.drupal.org/sa-core-2021-011" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "security-advisories@github.com", "tags": [ "Not Applicable" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://www.drupal.org/sa-core-2021-011" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Not Applicable" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-79" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }