Vulnerability Description
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ckeditor | Ckeditor | >= 4.0, < 4.17.0 |
| Drupal | Drupal | >= 8.9.0, < 8.9.20 |
| Oracle | Banking Apis | >= 18.1, <= 18.3 |
| Oracle | Banking Digital Experience | >= 18.1, <= 18.3 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Application Express | < 22.1 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Fedoraproject | Fedora | 36 |
Related Weaknesses (CWE)
References
- https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417PatchThird Party Advisory
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprjThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.drupal.org/sa-core-2021-011Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlNot Applicable
- https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417PatchThird Party Advisory
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprjThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.drupal.org/sa-core-2021-011Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2021-41164?
CVE-2021-41164 is a vulnerability with a CVSS score of 8.2 (HIGH). CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The...
How severe is CVE-2021-41164?
CVE-2021-41164 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-41164?
Check the references section above for vendor advisories and patch information. Affected products include: Ckeditor Ckeditor, Drupal Drupal, Oracle Banking Apis, Oracle Banking Digital Experience, Oracle Agile Plm.