CVE-2021-37695

Опубликовано: 13 авг. 2021

Источник: nvd

CVSS3: 7.3

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 Fake Objects package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

Ссылки

https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
Patch
Third Party Advisory
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
Patch
Third Party Advisory
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*

Версия до 4.16.2 (исключая)

Конфигурация 2

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Конфигурация 4

Одно из

cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*

Версия до 21.1.4 (исключая)

cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:documaker:12.6.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*

Версия от 8.0.7 (включая) до 8.1.1 (включая)

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_model_management_and_governance:*:*:*:*:*:*:*:*

Версия от 8.0.8.0.0 (включая) до 8.1.0.0.0 (включая)

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*

Версия до 9.2.6.0 (исключая)

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*

EPSS

Процентиль: 64%

0.00476

Низкий

7.3 High

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2021-37695

CVSS3: 7.3

ubuntu

больше 4 лет назад

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

CVE-2021-37695

CVSS3: 7.3

debian

больше 4 лет назад

ckeditor is an open source WYSIWYG HTML editor with rich content suppo ...

GHSA-m94c-37g6-cjhc

CVSS3: 7.3

github

больше 4 лет назад

Fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML.

EPSS

Процентиль: 64%

0.00476

Низкий

7.3 High

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79