CVE-2021-32809

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 12-08-2021 07:15

Last modified: - 25-04-2022 09:58

Total changes: - 9

Description

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

Low

Confidentiality

Low

Integrity

Low

Privileges required

Changed

Scope

Required

User interaction

5.4

Base score

2.3

2.7

Exploitability score

Impact score

Verification logic

vendor=ckeditor AND product=ckeditor AND target_software=node.js AND versionStartIncluding=4.5.2 AND versionEndExcluding=4.16.2

vendor=fedoraproject AND product=fedora AND version=33

vendor=fedoraproject AND product=fedora AND version=34

vendor=fedoraproject AND product=fedora AND version=35

vendor=oracle AND product=application_express AND versionEndExcluding=21.1.4

vendor=oracle AND product=banking_party_management AND version=2.7.0

vendor=oracle AND product=commerce_guided_search AND version=11.3.2

vendor=oracle AND product=commerce_merchandising AND version=11.3.2

vendor=oracle AND product=documaker AND version=12.6.3

vendor=oracle AND product=documaker AND version=12.6.4

vendor=oracle AND product=financial_services_analytical_applications_infrastructure AND versionEndIncluding=8.1.1 AND versionStartIncluding=8.0.7

vendor=oracle AND product=jd_edwards_enterpriseone_tools AND versionEndExcluding=9.2.6.0

vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.57

vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.58

vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.59

Reference

https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg
FEDORA-2021-51457da891-Mailing List, Third Party Advisory
FEDORA-2021-72176a63a8-Mailing List, Third Party Advisory
FEDORA-2021-87578dca12-Mailing List, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpujan2022.html

Keywords

CVE-2021-32809

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2021-32809

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures