CVE-2021-37695

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 13-08-2021 02:15

Last modified: - 28-02-2022 03:57

Total changes: - 9

Description

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

Low

Confidentiality

Low

Integrity

Low

Privileges required

Changed

Scope

Required

User interaction

5.4

Base score

2.3

2.7

Exploitability score

Impact score

Verification logic

vendor=ckeditor AND product=ckeditor AND versionEndExcluding=4.16.2

vendor=Debian AND product=debian_linux AND version=9.0

vendor=fedoraproject AND product=fedora AND version=33

vendor=fedoraproject AND product=fedora AND version=34

vendor=fedoraproject AND product=fedora AND version=35

vendor=oracle AND product=application_express AND versionEndExcluding=21.1.4

vendor=oracle AND product=banking_party_management AND version=2.7.0

vendor=oracle AND product=commerce_guided_search AND version=11.3.2

vendor=oracle AND product=commerce_merchandising AND version=11.3.2

vendor=oracle AND product=documaker AND version=12.6.3

vendor=oracle AND product=documaker AND version=12.6.4

vendor=oracle AND product=financial_services_analytical_applications_infrastructure AND version=8.0.3

vendor=oracle AND product=financial_services_analytical_applications_infrastructure AND versionEndIncluding=8.1.1 AND versionStartIncluding=8.0.7

vendor=oracle AND product=financial_services_model_management_and_governance AND versionEndIncluding=8.1.0.0.0 AND versionStartIncluding=8.0.8.0.0

vendor=oracle AND product=jd_edwards_enterpriseone_tools AND versionEndExcluding=9.2.6.0

vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.57

vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.58

vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.59

Reference

https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
FEDORA-2021-51457da891-Mailing List, Third Party Advisory
FEDORA-2021-72176a63a8-Mailing List, Third Party Advisory
FEDORA-2021-87578dca12-Mailing List, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
[debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update-Mailing List, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Keywords

CVE-2021-37695

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2021-37695

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures