CVE-2021-41165

moderate-risk
Published 2021-11-17

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

Do I need to act?

-
0.12% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.2/10 High
NETWORK / LOW complexity

Affected Products (19)

Banking Apis
Banking Apis
Banking Apis
Banking Apis
Banking Apis

Affected Vendors

Oracle Drupal Ckeditor

References (12)

Third Party Advisory https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417
Third Party Advisory https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2
Third Party Advisory https://www.drupal.org/sa-core-2021-011
Patch https://www.oracle.com/security-alerts/cpuapr2022.html
Patch https://www.oracle.com/security-alerts/cpujan2022.html
Not Applicable https://www.oracle.com/security-alerts/cpujul2022.html
Third Party Advisory https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417
Third Party Advisory https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2
Third Party Advisory https://www.drupal.org/sa-core-2021-011
Patch https://www.oracle.com/security-alerts/cpuapr2022.html
Patch https://www.oracle.com/security-alerts/cpujan2022.html
Not Applicable https://www.oracle.com/security-alerts/cpujul2022.html
47
/ 100
moderate-risk
Severity 28/34 · Critical
Exploitability 0/34 · Minimal
Exposure 19/34 · Moderate