CVE-2021-37695

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 Fake Objects package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

Published: Aug 13, 2021
Updated: May 9, 2024
CVE: CVE-2021-37695
GHSA: GHSA-m94c-37g6-cjhc
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
ckeditor / ckeditor	-	4.16.2
debian / debian_linux	9.0	9.0.x
fedoraproject / fedora	33	33.x
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x
oracle / peoplesoft_enterprise_peopletools	8.57	8.57.x
oracle / financial_services_analytical_applications_infrastructure	8.0.3	8.0.3.x
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
oracle / commerce_guided_search	11.3.2	11.3.2.x
oracle / peoplesoft_enterprise_peopletools	8.59	8.59.x
oracle / commerce_merchandising	11.3.2	11.3.2.x
oracle / jd_edwards_enterpriseone_tools	-	9.2.6.0
oracle / documaker	12.6.3	12.6.3.x
oracle / documaker	12.6.4	12.6.4.x
oracle / financial_services_model_management_and_governance	8.0.8.0.0	8.1.0.0.0.x
oracle / banking_party_management	2.7.0	2.7.0.x
oracle / financial_services_analytical_applications_infrastructure	8.0.7	8.1.1.x
oracle / application_express	-	21.1.4
ckeditor4	-	4.16.2

Vulnerability Database

289,599

CVE-2021-37695