high
8.2
CWE
79
Advisory Published
Updated

CVE-2021-41164: Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML

First published: Wed Nov 17 2021(Updated: )

CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Ckeditor Ckeditor>=4.0<4.17.0
Drupal Drupal>=8.9.0<8.9.20
Drupal Drupal>=9.1.0<9.1.14
Drupal Drupal>=9.2.0<9.2.9
Oracle Banking Apis>=18.1<=18.3
Oracle Banking Apis=19.1
Oracle Banking Apis=19.2
Oracle Banking Apis=20.1
Oracle Banking Apis=21.1
Oracle Banking Digital Experience>=18.1<=18.3
Oracle Banking Digital Experience=19.1
Oracle Banking Digital Experience=19.2
Oracle Banking Digital Experience=20.1
Oracle Banking Digital Experience=21.1
Oracle Agile PLM=9.3.6
Oracle Application Express<22.1
Oracle Commerce Guided Search=11.3.2
Oracle PeopleSoft Enterprise PeopleTools=8.58
Oracle PeopleSoft Enterprise PeopleTools=8.59
Oracle WebCenter Portal=12.2.1.3.0
Oracle WebCenter Portal=12.2.1.4.0
Fedoraproject Fedora=36
Fedoraproject Fedora=37
IBM IBM® Engineering Requirements Management DOORS<=9.7.2.7
IBM IBM® Engineering Requirements Management DOORS Web Access<=9.7.2.7

Remedy

https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417

Remedy

https://www.oracle.com/security-alerts/cpuapr2022.html

Remedy

https://www.oracle.com/security-alerts/cpujan2022.html

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is CVE-2021-41164?

    CVE-2021-41164 is a vulnerability that affects CKEditor4, allowing for injection of malformed HTML and bypassing content sanitization.

  • Which software versions are affected by CVE-2021-41164?

    CKEditor4 versions from 4.0 to 4.17.0, Drupal versions 8.9.0 to 8.9.20, Drupal versions 9.1.0 to 9.1.14, Drupal versions 9.2.0 to 9.2.9, Oracle Banking APIs versions 18.1 to 18.3, Oracle Banking APIs version 19.1, Oracle Banking APIs version 19.2, Oracle Banking APIs version 20.1, Oracle Banking APIs version 21.1, Oracle Banking Digital Experience versions 18.1 to 18.3, Oracle Banking Digital Experience version 19.1, Oracle Banking Digital Experience version 19.2, Oracle Banking Digital Experience version 20.1, Oracle Banking Digital Experience version 21.1, Oracle Agile PLM version 9.3.6, Oracle Application Express versions up to 22.1, Oracle Commerce Guided Search version 11.3.2, Oracle PeopleSoft Enterprise PeopleTools version 8.58, Oracle PeopleSoft Enterprise PeopleTools version 8.59, Oracle WebCenter Portal version 12.2.1.3.0, Oracle WebCenter Portal version 12.2.1.4.0, Fedoraproject Fedora version 36, and Fedoraproject Fedora version 37 are affected.

  • What is the severity of CVE-2021-41164?

    CVE-2021-41164 has a severity rating of 5.4 (High).

  • How does CVE-2021-41164 work?

    CVE-2021-41164 allows an attacker to inject malformed HTML code, bypassing content sanitization measures.

  • How can CVE-2021-41164 be fixed?

    Update to a version of CKEditor4 that is not affected by this vulnerability and apply any provided patches or security updates for the affected software.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203