First published: Wed Nov 17 2021(Updated: )
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Ckeditor Ckeditor | >=4.0<4.17.0 | |
Drupal Drupal | >=8.9.0<8.9.20 | |
Drupal Drupal | >=9.1.0<9.1.14 | |
Drupal Drupal | >=9.2.0<9.2.9 | |
Oracle Banking Apis | >=18.1<=18.3 | |
Oracle Banking Apis | =19.1 | |
Oracle Banking Apis | =19.2 | |
Oracle Banking Apis | =20.1 | |
Oracle Banking Apis | =21.1 | |
Oracle Banking Digital Experience | >=18.1<=18.3 | |
Oracle Banking Digital Experience | =19.1 | |
Oracle Banking Digital Experience | =19.2 | |
Oracle Banking Digital Experience | =20.1 | |
Oracle Banking Digital Experience | =21.1 | |
Oracle Agile PLM | =9.3.6 | |
Oracle Application Express | <22.1 | |
Oracle Commerce Guided Search | =11.3.2 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
Oracle WebCenter Portal | =12.2.1.3.0 | |
Oracle WebCenter Portal | =12.2.1.4.0 | |
Fedoraproject Fedora | =36 | |
Fedoraproject Fedora | =37 | |
IBM IBM® Engineering Requirements Management DOORS | <=9.7.2.7 | |
IBM IBM® Engineering Requirements Management DOORS Web Access | <=9.7.2.7 | |
>=4.0<4.17.0 | ||
>=8.9.0<8.9.20 | ||
>=9.1.0<9.1.14 | ||
>=9.2.0<9.2.9 | ||
>=18.1<=18.3 | ||
=19.1 | ||
=19.2 | ||
=20.1 | ||
=21.1 | ||
>=18.1<=18.3 | ||
=19.1 | ||
=19.2 | ||
=20.1 | ||
=21.1 | ||
=9.3.6 | ||
<22.1 | ||
=11.3.2 | ||
=8.58 | ||
=8.59 | ||
=12.2.1.3.0 | ||
=12.2.1.4.0 | ||
=36 | ||
=37 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-41164 is a vulnerability that affects CKEditor4, allowing for injection of malformed HTML and bypassing content sanitization.
CKEditor4 versions from 4.0 to 4.17.0, Drupal versions 8.9.0 to 8.9.20, Drupal versions 9.1.0 to 9.1.14, Drupal versions 9.2.0 to 9.2.9, Oracle Banking APIs versions 18.1 to 18.3, Oracle Banking APIs version 19.1, Oracle Banking APIs version 19.2, Oracle Banking APIs version 20.1, Oracle Banking APIs version 21.1, Oracle Banking Digital Experience versions 18.1 to 18.3, Oracle Banking Digital Experience version 19.1, Oracle Banking Digital Experience version 19.2, Oracle Banking Digital Experience version 20.1, Oracle Banking Digital Experience version 21.1, Oracle Agile PLM version 9.3.6, Oracle Application Express versions up to 22.1, Oracle Commerce Guided Search version 11.3.2, Oracle PeopleSoft Enterprise PeopleTools version 8.58, Oracle PeopleSoft Enterprise PeopleTools version 8.59, Oracle WebCenter Portal version 12.2.1.3.0, Oracle WebCenter Portal version 12.2.1.4.0, Fedoraproject Fedora version 36, and Fedoraproject Fedora version 37 are affected.
CVE-2021-41164 has a severity rating of 5.4 (High).
CVE-2021-41164 allows an attacker to inject malformed HTML code, bypassing content sanitization measures.
Update to a version of CKEditor4 that is not affected by this vulnerability and apply any provided patches or security updates for the affected software.