CVE-2021-32809: Arbitrary HTML injection vulnerability in ckeditor
First published: Thu Aug 12 2021(Updated: )
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ckeditor Ckeditor | >=4.5.2<4.16.2 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Oracle Application Express | <21.1.4 | |
| Oracle Banking Party Management | =2.7.0 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle Commerce Merchandising | =11.3.2 | |
| Oracle Documaker | =12.6.3 | |
| Oracle Documaker | =12.6.4 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.7<=8.1.1 | |
| Oracle Jd Edwards Enterpriseone Tools | <9.2.6.0 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/207429
- https://www.ibm.com/support/pages/node/6570957 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
Frequently Asked Questions
What is CVE-2021-32809?
CVE-2021-32809 is a vulnerability in CKEditor that allows a remote authenticated attacker to inject malicious HTML code into the editor, which can be executed in the victim's web browser within the security context of the hosting site.
How severe is CVE-2021-32809?
CVE-2021-32809 has a severity rating of 4.6, which is considered medium.
How does CVE-2021-32809 work?
CVE-2021-32809 allows a remote authenticated attacker to abuse the paste functionality of CKEditor to inject and execute malicious HTML code in the victim's web browser.
Am I affected by CVE-2021-32809?
If you are using CKEditor, you may be affected by CVE-2021-32809. It is recommended to apply the necessary security patches to address this vulnerability.
How do I fix CVE-2021-32809?
To fix CVE-2021-32809, ensure that you have installed the latest version of CKEditor, which includes patches for this vulnerability. Additionally, it is advisable to follow security best practices such as user input validation and sanitization.
- collector/nvd-index
- agent/type
- agent/weakness
- agent/remedy
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/last-modified-date
- agent/severity
- agent/first-publish-date
- agent/event
- agent/tags
- vendor/ckeditor
- canonical/ckeditor ckeditor
- version/ckeditor ckeditor/4.5.2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/oracle
- canonical/oracle application express
- canonical/oracle banking party management
- version/oracle banking party management/2.7.0
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle commerce merchandising
- version/oracle commerce merchandising/11.3.2
- canonical/oracle documaker
- version/oracle documaker/12.6.3
- version/oracle documaker/12.6.4
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.7
- version/oracle financial services analytical applications infrastructure/8.1.1
- canonical/oracle jd edwards enterpriseone tools
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59