CVE-2021-32809: XSS
First published: Thu Aug 12 2021(Updated: )
CKEditor is vulnerable to HTML injection. A remote authenticated attacker could inject malicious HTML code into the editor, which when viewed, would abuse the paste functionality and executed in the victim's Web browser within the security context of the hosting site.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ckeditor Ckeditor | >=4.5.2<4.16.2 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Oracle Application Express | <21.1.4 | |
| Oracle Banking Party Management | =2.7.0 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle Commerce Merchandising | =11.3.2 | |
| Oracle Documaker | =12.6.3 | |
| Oracle Documaker | =12.6.4 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.7<=8.1.1 | |
| Oracle Jd Edwards Enterpriseone Tools | <9.2.6.0 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/207429
- https://www.ibm.com/support/pages/node/6570957 (Advisory)
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Frequently Asked Questions
What is CVE-2021-32809?
CVE-2021-32809 is a vulnerability in CKEditor that allows a remote authenticated attacker to inject malicious HTML code into the editor, which can be executed in the victim's web browser within the security context of the hosting site.
How severe is CVE-2021-32809?
CVE-2021-32809 has a severity rating of 4.6, which is considered medium.
How does CVE-2021-32809 work?
CVE-2021-32809 allows a remote authenticated attacker to abuse the paste functionality of CKEditor to inject and execute malicious HTML code in the victim's web browser.
Am I affected by CVE-2021-32809?
If you are using CKEditor, you may be affected by CVE-2021-32809. It is recommended to apply the necessary security patches to address this vulnerability.
How do I fix CVE-2021-32809?
To fix CVE-2021-32809, ensure that you have installed the latest version of CKEditor, which includes patches for this vulnerability. Additionally, it is advisable to follow security best practices such as user input validation and sanitization.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/ibm-support
- collector/nvd-index
- vendor/ckeditor
- canonical/ckeditor ckeditor
- version/ckeditor ckeditor/4.5.2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/oracle
- canonical/oracle application express
- canonical/oracle banking party management
- version/oracle banking party management/2.7.0
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle commerce merchandising
- version/oracle commerce merchandising/11.3.2
- canonical/oracle documaker
- version/oracle documaker/12.6.3
- version/oracle documaker/12.6.4
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.7
- version/oracle financial services analytical applications infrastructure/8.1.1
- canonical/oracle jd edwards enterpriseone tools
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59