CVE-2021-32808: Cross-site scripting in ckeditor via abuse of undo functionality
First published: Thu Aug 12 2021(Updated: )
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ckeditor Ckeditor | >=4.13.0<4.16.2 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Oracle Application Express | <21.1.4 | |
| Oracle Banking Party Management | =2.7.0 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle Commerce Merchandising | =11.3.2 | |
| Oracle Documaker | =12.6.3 | |
| Oracle Documaker | =12.6.4 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.7<=8.1.1 | |
| Oracle Financial Services Model Management And Governance | =8.0.8.0.0 | |
| Oracle Financial Services Model Management And Governance | =8.1.0.0.0 | |
| Oracle Jd Edwards Enterpriseone Tools | <=9.2.6.0 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Oracle Siebel Ui Framework | <=21.9 | |
| Oracle WebCenter Sites | =12.2.1.3.0 | |
| Oracle WebCenter Sites | =12.2.1.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/207430
- https://www.ibm.com/support/pages/node/6570957 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
Frequently Asked Questions
What is CVE-2021-32808?
CVE-2021-32808 is a vulnerability in CKEditor that allows for cross-site scripting if the clipboard Widget plugin is used alongside the undo feature.
How does CVE-2021-32808 affect CKEditor?
CVE-2021-32808 affects CKEditor by allowing a remote attacker to execute malicious code in a victim's web browser.
What is the severity level of CVE-2021-32808?
CVE-2021-32808 has a severity level of 7.6, which is considered high.
How can the CVE-2021-32808 vulnerability be exploited?
The CVE-2021-32808 vulnerability can be exploited by using malformed widget HTML in conjunction with the undo feature in CKEditor.
Is there a fix available for CVE-2021-32808?
Yes, CKEditor has released a fix for CVE-2021-32808. It is recommended to update to the latest version of CKEditor to mitigate the vulnerability.
- collector/nvd-index
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/author
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/last-modified-date
- agent/severity
- agent/first-publish-date
- agent/event
- agent/tags
- vendor/ckeditor
- canonical/ckeditor ckeditor
- version/ckeditor ckeditor/4.13.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/oracle
- canonical/oracle application express
- canonical/oracle banking party management
- version/oracle banking party management/2.7.0
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle commerce merchandising
- version/oracle commerce merchandising/11.3.2
- canonical/oracle documaker
- version/oracle documaker/12.6.3
- version/oracle documaker/12.6.4
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.7
- version/oracle financial services analytical applications infrastructure/8.1.1
- canonical/oracle financial services model management and governance
- version/oracle financial services model management and governance/8.0.8.0.0
- version/oracle financial services model management and governance/8.1.0.0.0
- canonical/oracle jd edwards enterpriseone tools
- version/oracle jd edwards enterpriseone tools/9.2.6.0
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- canonical/oracle siebel ui framework
- version/oracle siebel ui framework/21.9
- canonical/oracle webcenter sites
- version/oracle webcenter sites/12.2.1.3.0
- version/oracle webcenter sites/12.2.1.4.0