CVE-2021-32809 — MEDIUM (4.6)

Q: How severe is CVE-2021-32809?

CVE-2021-32809 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-32809?

Check the references section above for vendor advisories and patch information. Affected products include: Ckeditor Ckeditor, Fedoraproject Fedora, Oracle Application Express, Oracle Banking Party Management, Oracle Commerce Guided Search.

Vulnerability Description

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

CVSS Score

4.6

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Ckeditor	Ckeditor	>= 4.5.2, < 4.16.2
Fedoraproject	Fedora	33
Oracle	Application Express	< 21.1.4
Oracle	Banking Party Management	2.7.0
Oracle	Commerce Guided Search	11.3.2
Oracle	Commerce Merchandising	11.3.2
Oracle	Documaker	12.6.3
Oracle	Financial Services Analytical Applications Infrastructure	>= 8.0.7, <= 8.1.1
Oracle	Jd Edwards Enterpriseone Tools	< 9.2.6.0
Oracle	Peoplesoft Enterprise Peopletools	8.57

Related Weaknesses (CWE)

CWE-94 CWE-79

References

https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpggThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpggThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory

FAQ

What is CVE-2021-32809?

CVE-2021-32809 is a vulnerability with a CVSS score of 4.6 (MEDIUM). ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. Th...

How severe is CVE-2021-32809?

CVE-2021-32809 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-32809?

Check the references section above for vendor advisories and patch information. Affected products include: Ckeditor Ckeditor, Fedoraproject Fedora, Oracle Application Express, Oracle Banking Party Management, Oracle Commerce Guided Search.