CVE-2021-41165 — HIGH (8.2)

Q: How severe is CVE-2021-41165?

CVE-2021-41165 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-41165?

Check the references section above for vendor advisories and patch information. Affected products include: Ckeditor Ckeditor, Drupal Drupal, Oracle Agile Product Lifecycle Management, Oracle Application Express, Oracle Banking Apis.

Vulnerability Description

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

CVSS Score

8.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Ckeditor	Ckeditor	< 4.17.0
Drupal	Drupal	>= 8.9.0, < 8.9.20
Oracle	Agile Product Lifecycle Management	9.3.6
Oracle	Application Express	< 22.1
Oracle	Banking Apis	>= 18.1, <= 18.3
Oracle	Banking Digital Experience	>= 18.1, <= 18.3
Oracle	Commerce Guided Search	11.3.2
Oracle	Peoplesoft Enterprise Peopletools	8.58
Oracle	Webcenter Portal	12.2.1.3.0

Related Weaknesses (CWE)

CWE-79

References

https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417Third Party Advisory
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2Third Party Advisory
https://www.drupal.org/sa-core-2021-011Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlNot Applicable
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417Third Party Advisory
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2Third Party Advisory
https://www.drupal.org/sa-core-2021-011Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlNot Applicable

FAQ

What is CVE-2021-41165?

CVE-2021-41165 is a vulnerability with a CVSS score of 8.2 (HIGH). CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerabi...

How severe is CVE-2021-41165?

CVE-2021-41165 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-41165?

Check the references section above for vendor advisories and patch information. Affected products include: Ckeditor Ckeditor, Drupal Drupal, Oracle Agile Product Lifecycle Management, Oracle Application Express, Oracle Banking Apis.