CVE-2021-32808

Опубликовано: 12 авг. 2021

Источник: nvd

CVSS3: 7.6

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.

Ссылки

https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2
Release Notes
Third Party Advisory
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2
Release Notes
Third Party Advisory
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:node.js:*:*

Версия от 4.13.0 (включая) до 4.16.2 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*

Версия до 21.1.4 (исключая)

cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:documaker:12.6.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*

Версия от 8.0.7 (включая) до 8.1.1 (включая)

cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.0.8.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*

Версия до 9.2.6.0 (включая)

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*

Версия до 21.9 (включая)

cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*

EPSS

Процентиль: 80%

0.01368

Низкий

7.6 High

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2021-32808

CVSS3: 7.6

ubuntu

больше 4 лет назад

CVE-2021-32808

CVSS3: 7.6

debian

больше 4 лет назад

ckeditor is an open source WYSIWYG HTML editor with rich content suppo ...

GHSA-6226-h7ff-ch6c

CVSS3: 7.6

github

больше 4 лет назад

Widget feature vulnerability allowing to execute JavaScript code using undo functionality

BDU:2022-01665

CVSS3: 5.4

fstec

больше 4 лет назад

Уязвимость плагина Widget и функционала Undo WYSIWYG-редактора CKEditor, позволяющая нарушителю оказать воздействие на целостность данных

EPSS

Процентиль: 80%

0.01368

Низкий

7.6 High

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79