CVE-2021-41165

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

References

Affected packages

Git / github.com/ckeditor/ckeditor-releases

Affected ranges

Type: GIT
Repo: https://github.com/ckeditor/ckeditor-releases
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5a0d3c84b4bc9eb7d1ecd8dfa9b660eb691553c2

Affected versions

4.*

4.0.1/standard

4.0/standard

4.1.1/standard

4.1.2/standard

4.1.3/standard

4.1/standard

4.1rc/standard

4.2.1/standard

4.2.2/standard

4.2.3/standard

4.2/standard

4.3.0/standard

4.3.1/standard

4.3.2/standard

standard/4.*

standard/4.10.0

standard/4.10.1

standard/4.11.0

standard/4.11.1

standard/4.11.2

standard/4.11.3

standard/4.11.4

standard/4.12.0

standard/4.12.1

standard/4.13.0

standard/4.13.1

standard/4.14.0

standard/4.14.1

standard/4.15.0

standard/4.15.1

standard/4.16.0

standard/4.16.1

standard/4.16.2

standard/4.3.3

standard/4.3.4

standard/4.3.5

standard/4.4.0

standard/4.4.1

standard/4.4.2

standard/4.4.3

standard/4.4.4

standard/4.4.5

standard/4.4.6

standard/4.4.7

standard/4.4.8

standard/4.5.0

standard/4.5.1

standard/4.5.10

standard/4.5.11

standard/4.5.2

standard/4.5.3

standard/4.5.4

standard/4.5.5

standard/4.5.6

standard/4.5.7

standard/4.5.8

standard/4.5.9

standard/4.6.0

standard/4.6.1

standard/4.6.2

standard/4.7.0

standard/4.7.1

standard/4.7.2

standard/4.7.3

standard/4.8.0

standard/4.9.0

standard/4.9.1

standard/4.9.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41165.json"