Vulnerabilites related to ckeditor - ckeditor
Vulnerability from fkie_nvd
Published
2024-02-07 17:15
Modified
2024-11-21 08:59
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.
Impacted products
Vendor Product Version
ckeditor ckeditor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "B6B9E14F-3103-4A78-A337-47786B2B06ED",
                     versionEndExcluding: "4.24.0",
                     versionStartIncluding: "4.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.",
      },
      {
         lang: "es",
         value: "CKEditor4 es un editor HTML de código abierto de lo que ves es lo que obtienes. Se descubrió una vulnerabilidad de cross-site scripting en versiones anteriores a la 4.24.0-lts en muestras que utilizan la función \"vista previa\". Todos los integradores que utilicen estos ejemplos en el código de producción pueden verse afectados. La vulnerabilidad permite a un atacante ejecutar código JavaScript abusando de la función de vista previa mal configurada. Afecta a todos los usuarios que utilizan CKEditor 4 en la versión &lt;4.24.0-lts con muestras afectadas utilizadas en un entorno de producción. Hay una solución disponible en la versión 4.24.0-lts.",
      },
   ],
   id: "CVE-2024-24816",
   lastModified: "2024-11-21T08:59:46.490",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-02-07T17:15:11.383",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Product",
         ],
         url: "https://ckeditor.com/cke4/addon/preview",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
         ],
         url: "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Product",
         ],
         url: "https://ckeditor.com/cke4/addon/preview",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2020-03-10 17:15
Modified
2024-11-21 05:40
Summary
A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:4.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "5C89EC56-786D-40AB-AC0B-C8C77A056F22",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:webspellchecker:webspellchecker:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "8CF738E0-968F-4DFD-B908-DDFDC006F6AB",
                     versionEndIncluding: "5.5.7.5",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
                     matchCriteriaId: "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
                     matchCriteriaId: "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
                     matchCriteriaId: "36D96259-24BD-44E2-96D9-78CE1D41F956",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.",
      },
      {
         lang: "es",
         value: "Una vulnerabilidad de tipo cross-site scripting (XSS) en el pluging WSC versiones hasta la versión 5.5.7.5 para CKEditor 4, permite a atacantes remotos ejecutar script web arbitrario dentro de un elemento IFRAME mediante la inyección de un elemento HTML especialmente  diseñado en el editor.",
      },
   ],
   id: "CVE-2020-9440",
   lastModified: "2024-11-21T05:40:38.910",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-03-10T17:15:13.207",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2024-08-21 15:15
Modified
2024-08-23 16:20
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts.
Impacted products
Vendor Product Version
ckeditor ckeditor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:lts:*:*:*",
                     matchCriteriaId: "C4754AC3-7A7F-4BFA-BD12-066EE0C46FC3",
                     versionEndExcluding: "4.25.0",
                     versionStartIncluding: "4.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts.",
      },
      {
         lang: "es",
         value: "CKEditor4 es un editor HTML de código abierto de lo que ves es lo que obtienes. Se ha descubierto una vulnerabilidad potencial en el complemento GeSHi del fragmento de código de CKEditor 4. La vulnerabilidad permitió un ataque XSS reflejado al explotar una falla en la librería de resaltado de sintaxis GeSHi alojada por la víctima. La librería GeSHi se incluyó como dependencia del proveedor en los archivos fuente de CKEditor 4. En un escenario específico, un atacante podría crear un script malicioso que podría ejecutarse enviando una solicitud a la librería GeSHi alojada en un servidor web PHP. La librería GeSHi ya no se mantiene activamente. Debido a la falta de soporte y actualizaciones continuas, se han identificado posibles vulnerabilidades de seguridad con su uso continuo. Para mitigar estos riesgos y mejorar la seguridad general de CKEditor 4, hemos decidido eliminar por completo la librería GeSHi como dependencia. Este cambio tiene como objetivo mantener un entorno seguro y reducir el riesgo de incidentes de seguridad relacionados con software desactualizado o sin soporte. La solución estará disponible en la versión 4.25.0-lts.",
      },
   ],
   id: "CVE-2024-43407",
   lastModified: "2024-08-23T16:20:42.363",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-08-21T15:15:09.397",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
         ],
         url: "https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
         ],
         url: "https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2012-09-05 00:55
Modified
2024-11-21 01:38
Severity ?
Summary
Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter. NOTE: some of these details are obtained from third party information.
Impacted products



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "44B163FD-1FE9-48C4-B0AA-DD50847FF1F0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.1:beta:*:*:*:*:*:*",
                     matchCriteriaId: "F76C9A2D-841B-40B2-9B20-3D19B8E4D599",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.1:beta2:*:*:*:*:*:*",
                     matchCriteriaId: "5F296BCB-1010-47CD-8710-CB2B811A2CCF",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "0B350AE9-4072-4E78-B891-693E83A10B68",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.2-1:*:*:*:*:*:*:*",
                     matchCriteriaId: "1CBBEAAF-31FB-4EFB-971A-FB6A0A7D237F",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "09808721-056C-4BE8-8BFB-D31D6F95C751",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:beta:*:*:*:*:*:*",
                     matchCriteriaId: "9AEB8F31-C6F3-45D1-95C3-D9F4DE8A011F",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:beta2:*:*:*:*:*:*",
                     matchCriteriaId: "423F1192-70EB-4EA8-8FD2-4DD913513311",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "D21FCEAD-0D7B-4B9B-995F-9DC0B59D9EC5",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc2:*:*:*:*:*:*",
                     matchCriteriaId: "C31D54C7-B2F6-44F5-A7EE-1256F69561A4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc3:*:*:*:*:*:*",
                     matchCriteriaId: "169C2734-5A10-4486-8329-1B4C99377F34",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc5:*:*:*:*:*:*",
                     matchCriteriaId: "D2A96BDD-CE2A-468B-BA11-420013FD962A",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc6:*:*:*:*:*:*",
                     matchCriteriaId: "D36AA137-0B92-4C0C-A110-689CD1D8B13C",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc7:*:*:*:*:*:*",
                     matchCriteriaId: "7B9AF995-8E15-49E5-A999-D46F4021DF9A",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.4:*:*:*:*:*:*:*",
                     matchCriteriaId: "5E35468C-4F35-44CA-AB5A-B744DAAEA5A5",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.4:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "9BC0703D-CC61-4035-BD4F-4FA225E91247",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.4:rc2:*:*:*:*:*:*",
                     matchCriteriaId: "053CB577-FAA9-4C52-9F70-79EAB0EF2C7F",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.x:dev:*:*:*:*:*:*",
                     matchCriteriaId: "80718F1B-01E0-470C-A64B-FE6EF21E7B33",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "3972DA1A-AB39-40C0-B07A-C78A14F4BE9F",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha1:*:*:*:*:*:*",
                     matchCriteriaId: "6D692A34-334E-4EF6-A9A2-00E0DBCBF8F2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha3:*:*:*:*:*:*",
                     matchCriteriaId: "7D8493A8-16C7-4A86-B117-5D6960672A26",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha4:*:*:*:*:*:*",
                     matchCriteriaId: "16A838C7-F87F-4700-978A-CBE29CC05778",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha5:*:*:*:*:*:*",
                     matchCriteriaId: "4204743A-1AF1-453E-816B-89B789421157",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta1:*:*:*:*:*:*",
                     matchCriteriaId: "ACC858F4-915F-4269-89F4-5850E89D95B0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta2:*:*:*:*:*:*",
                     matchCriteriaId: "CC2E4995-E98D-4EBA-8F68-8D1AC8013220",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta3:*:*:*:*:*:*",
                     matchCriteriaId: "2A4AF219-9088-4AF2-8B59-D72B5B8E0EEF",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta4:*:*:*:*:*:*",
                     matchCriteriaId: "46BDEF08-D257-47BF-8A43-9968C2B8EF5B",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "5A9FB606-1EF7-4503-839F-4C1C5128C690",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:rc2:*:*:*:*:*:*",
                     matchCriteriaId: "D368C7DA-85EA-4B80-AFF8-20FFE4CCD410",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "7E725F77-8490-42E5-B4C2-A905375819EE",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.1:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "19315A5D-A5B4-48A2-9823-E7D079578FF7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "C9E1CF58-3074-4917-953A-7B553D42A22B",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.2:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "D877BB1B-FDDF-4E32-A708-5C4EF293895B",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "2D6AF3DE-116C-4C48-9122-A0AB461F3DA7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.x:dev:*:*:*:*:*:*",
                     matchCriteriaId: "69A13208-719D-4627-BA30-2EE9D7D3D911",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "F8B1170D-AD33-4C7A-892D-63AC71B032CF",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "80ACD9BA-BFAA-4421-BF46-FACC1D8EB66C",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.0:beta1:*:*:*:*:*:*",
                     matchCriteriaId: "7B8252BB-5C2D-40B1-971E-B170DF5D8583",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "7DD74EB7-12C7-495B-86D8-A63FB853A99E",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "39FE612F-4CAC-4D3B-85D2-49201BE699F0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "81515584-8CA5-445C-9396-90236B215104",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.4:*:*:*:*:*:*:*",
                     matchCriteriaId: "3240117F-7FB4-495C-9CAF-7A902499B3D3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.5:*:*:*:*:*:*:*",
                     matchCriteriaId: "ED7C7988-B82E-4BB0-B966-E2D5BFB09E69",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.6:*:*:*:*:*:*:*",
                     matchCriteriaId: "4D62BBD9-C702-4BEA-B8A9-960B31630EA3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.7:*:*:*:*:*:*:*",
                     matchCriteriaId: "61D011F9-21E1-4B47-94D9-68F9E1DF92B2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.x:dev:*:*:*:*:*:*",
                     matchCriteriaId: "7F2EA237-1B55-49F3-B95C-6FAAA28901C8",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "42B69434-2F6F-4D0F-ADB9-FD7BD8A2B296",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.0:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "C3398A12-5E6D-4E6B-80B1-D8C177FA8168",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "6F74FCCC-4DAC-40DE-AA3C-8A77D8250EFA",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "73BF8196-B275-4C69-BE33-3F8D8865D8A0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "0A64FD18-5402-4971-8483-95CF3535B019",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.4:*:*:*:*:*:*:*",
                     matchCriteriaId: "672ACFFD-70C6-457F-BF5B-9B85CCB08959",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.5:*:*:*:*:*:*:*",
                     matchCriteriaId: "8B4D96C8-18E7-45B5-A107-CBFBFF6D2C85",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.6:*:*:*:*:*:*:*",
                     matchCriteriaId: "5DB70B6B-3ECC-459D-98DA-0BB76AE9296D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.x:dev:*:*:*:*:*:*",
                     matchCriteriaId: "07087627-FA8A-4E3B-8509-B1A2E4E864B5",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "F8B1170D-AD33-4C7A-892D-63AC71B032CF",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter.  NOTE: some of these details are obtained from third party information.",
      },
      {
         lang: "es",
         value: "Vulnerabilidad no especificada en el módulo CKEditor v6.x-2.x anterior a v6.x-2.3 y el módulo CKEditor v6.x-1.x anterior a v6.x-1.9 y v7.x-1.x anterior a v7.x-1.7 para Drupal, cuando el módulo de núcleo de PHP está activado, permite a usuarios remotos autenticados o atacantes remotos ejecutar código PHP arbitrario a través del parámetro de texto a un filtro de texto. NOTA: algunos de estos detalles han sido obtenidos a partir de información de terceros",
      },
   ],
   evaluatorComment: "Per http://drupal.org/node/1482528 the versions affected are \"FCKeditor 6.x-2.x versions prior to 6.x-2.3, CKEditor 6.x-1.x versions prior to 6.x-1.9, and CKEditor 7.x-1.x versions prior to 7.x-1.7.\"\r\n",
   id: "CVE-2012-2067",
   lastModified: "2024-11-21T01:38:25.490",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "PARTIAL",
               baseScore: 6.8,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 6.4,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
   },
   published: "2012-09-05T00:55:15.217",
   references: [
      {
         source: "secalert@redhat.com",
         tags: [
            "Patch",
         ],
         url: "http://drupal.org/node/1482442",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Patch",
         ],
         url: "http://drupal.org/node/1482466",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Patch",
         ],
         url: "http://drupal.org/node/1482480",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Patch",
            "Vendor Advisory",
         ],
         url: "http://drupal.org/node/1482528",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "http://secunia.com/advisories/48435",
      },
      {
         source: "secalert@redhat.com",
         url: "http://www.openwall.com/lists/oss-security/2012/04/07/1",
      },
      {
         source: "secalert@redhat.com",
         url: "http://www.osvdb.org/80080",
      },
      {
         source: "secalert@redhat.com",
         url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/74037",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "http://drupal.org/node/1482442",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "http://drupal.org/node/1482466",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "http://drupal.org/node/1482480",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Vendor Advisory",
         ],
         url: "http://drupal.org/node/1482528",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "http://secunia.com/advisories/48435",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://www.openwall.com/lists/oss-security/2012/04/07/1",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://www.osvdb.org/80080",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/74037",
      },
   ],
   sourceIdentifier: "secalert@redhat.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "NVD-CWE-noinfo",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2020-03-07 01:15
Modified
2024-11-21 05:40
Summary
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
References
cve@mitre.orghttps://github.com/ckeditor/ckeditor4Product, Third Party Advisory
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/
cve@mitre.orghttps://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
cve@mitre.orghttps://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
cve@mitre.orghttps://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Vendor Advisory
cve@mitre.orghttps://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
cve@mitre.orghttps://www.oracle.com/security-alerts/cpuoct2021.htmlNot Applicable, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/ckeditor/ckeditor4Product, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuoct2021.htmlNot Applicable, Third Party Advisory



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "DD2A80E8-E9A1-4C53-8CA1-7961EEBF5484",
                     versionEndExcluding: "4.14",
                     versionStartIncluding: "4.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
                     matchCriteriaId: "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
                     matchCriteriaId: "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
                     matchCriteriaId: "36D96259-24BD-44E2-96D9-78CE1D41F956",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6C94963F-9771-4519-8D82-4EE9430BF3E7",
                     versionEndExcluding: "8.7.12",
                     versionStartIncluding: "8.7.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "E7974503-263F-4534-8895-DDF0866F0D61",
                     versionEndExcluding: "8.8.4",
                     versionStartIncluding: "8.8.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*",
                     matchCriteriaId: "ED43772F-D280-42F6-A292-7198284D6FE7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
                     matchCriteriaId: "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "96FC5AC6-88AC-4C4D-8692-7489D6DE8E16",
                     versionEndExcluding: "20.2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "F0F00658-CE6C-4198-BE33-435BD67761E5",
                     versionEndExcluding: "9.2.5.2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "35070A11-340A-449E-B5FA-B8769C5EA2A2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*",
                     matchCriteriaId: "D0A735B4-4F3C-416B-8C08-9CB21BAD2889",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*",
                     matchCriteriaId: "7E1E416B-920B-49A0-9523-382898C2979D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
                     matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:siebel_apps_-_customer_order_management:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "F6443929-70D6-4C9A-AF95-EFFD34E388FC",
                     versionEndExcluding: "21.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "D7756147-7168-4E03-93EE-31379F6BE88E",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "D6A4F71A-4269-40FC-8F61-1D1301F2B728",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "5A502118-5B2B-47AE-82EC-1999BD841103",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "E60C0966-BF0D-4D18-B09B-5D0BB96DBFF3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "E0FCD3BC-33D8-49D1-844B-6B9DE0CA4997",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "473749BD-267E-480F-8E7F-C762702DB66E",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "74C7E2F1-17FC-4322-A5C3-F7EB612BA4F5",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "320D36DA-D99F-4149-B582-3F4AB2F41A1B",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_enterprise_default_managment:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "05E4EB25-7B7A-4A10-A535-8C7CA4D6FEB6",
                     versionEndIncluding: "2.4.0",
                     versionStartIncluding: "2.3.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted \"protected\" comment (with the cke_protected syntax).",
      },
      {
         lang: "es",
         value: "Una vulnerabilidad de tipo cross-site scripting (XSS) en el HTML Data Processor for CKEditor versiones 4.0 anteriores a 4.14, permite a atacantes remotos inyectar script web arbitrario por medio de un comentario \"protected\" diseñado (con la sintaxis cke_protected).",
      },
   ],
   id: "CVE-2020-9281",
   lastModified: "2024-11-21T05:40:20.923",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-03-07T01:15:15.517",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Product",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuApr2021.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2021.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Vendor Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2020.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Not Applicable",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Product",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuApr2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Vendor Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2020.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Not Applicable",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2021-01-26 21:15
Modified
2024-11-21 05:56
Summary
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "4C5F969A-06A2-4D84-B7DF-1CE68E285C0F",
                     versionEndExcluding: "4.16",
                     versionStartIncluding: "4.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*",
                     matchCriteriaId: "ED43772F-D280-42F6-A292-7198284D6FE7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
                     matchCriteriaId: "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6B4D758F-EABD-498C-9C9E-C3F35927F7DC",
                     versionEndExcluding: "21.1.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "40F940AA-05BE-426C-89A3-4098E107D9A7",
                     versionEndIncluding: "8.0.9",
                     versionStartIncluding: "8.0.6",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "6FB8AE1F-FA6B-4A5E-AA5B-D0B7C78FE886",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "41C2C67B-BF55-4B48-A94D-1F37A4FAC68C",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "86305E47-33E9-411C-B932-08C395C09982",
                     versionEndExcluding: "9.2.6.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D2B15024-E757-443B-8424-BBF0A28C3753",
                     versionEndExcluding: "21.9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "D551CAB1-4312-44AA-BDA8-A030817E153A",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "174A6D2E-E42E-4C92-A194-C6A820CD7EF4",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).",
      },
      {
         lang: "es",
         value: "Era posible ejecutar un ataque de tipo ReDoS dentro de CKEditor 4 versiones anteriores a 4.16, al persuadir a una víctima para pegar un texto diseñado en la entrada Styles de cuadros de diálogo específicos (en la pestaña Advanced para el plugin Dialogs)",
      },
   ],
   id: "CVE-2021-26271",
   lastModified: "2024-11-21T05:56:00.720",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "PARTIAL",
               baseScore: 4.3,
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 6.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2021-01-26T21:15:12.860",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Release Notes",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com//security-alerts/cpujul2021.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com//security-alerts/cpujul2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-829",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2022-03-16 16:15
Modified
2024-11-21 06:50
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
References
security-advisories@github.comhttps://ckeditor.com/cke4/release/CKEditor-4.18.0Release Notes, Vendor Advisory
security-advisories@github.comhttps://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89Third Party Advisory
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
security-advisories@github.comhttps://www.drupal.org/sa-core-2022-005Patch, Third Party Advisory
security-advisories@github.comhttps://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://ckeditor.com/cke4/release/CKEditor-4.18.0Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
af854a3a-2127-422b-91ae-364da2661108https://www.drupal.org/sa-core-2022-005Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "EC4BF70E-8D8F-4E6E-87BC-0103C0ED541F",
                     versionEndExcluding: "4.18.0",
                     versionStartIncluding: "4.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "40450340-0D4F-4A9F-AADB-1708F844690A",
                     versionEndExcluding: "9.2.15",
                     versionStartIncluding: "8.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "A9992D37-51EB-4011-9335-D1653AE2D59B",
                     versionEndExcluding: "9.3.8",
                     versionStartIncluding: "9.3.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "48B23728-0050-4AF0-B8B0-A959CBAB4505",
                     versionEndExcluding: "22.1.1",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "C91E0944-A93B-4E6C-9547-4FC1A01DEAC6",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6135501A-3F3C-42BA-B2C4-79403F3510D8",
                     versionEndIncluding: "8.1.0.0.0",
                     versionStartIncluding: "8.0.7.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "3CC69CF0-6269-40F5-871B-16CFD5EC4C45",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "172BECE8-9626-4910-AAA1-A2FA9C7139E3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "ACB82398-7281-47CF-81F9-A8A67D9C9DFE",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "AD9AC3A6-9B91-4B55-A320-A40E95F21058",
                     versionEndIncluding: "8.1.2.1",
                     versionStartIncluding: "8.1.1.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "B0EF38D2-EF89-4DBC-B305-1A5D5FC0B186",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "155FF008-1054-4943-B1C3-9117E3E51AC3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7:*:*:*:enterprise:*:*:*",
                     matchCriteriaId: "B57ECC6E-CC64-4DE7-B657-3BA54EDDFFF4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8:*:*:*:enterprise:*:*:*",
                     matchCriteriaId: "10BBAD37-51A1-4819-807B-2642E9D4A69C",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
                     matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*",
                     matchCriteriaId: "C8AF00C6-B97F-414D-A8DF-057E6BFD8597",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
                     matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
                     matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
                     matchCriteriaId: "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.",
      },
      {
         lang: "es",
         value: "CKEditor4 es un editor HTML de código abierto \"lo que visualizas es lo que obtienes\". Se ha detectado una vulnerabilidad en el módulo central de procesamiento de HTML y puede afectar a todos los plugins usados por CKEditor 4 versiones anteriores a 4.18.0. La vulnerabilidad permite que alguien inyecte HTML malformado omitiendo el saneo del contenido, lo que podría resultar en una ejecución de código JavaScript. Este problema ha sido parcheado en versión 4.18.0. Actualmente no se presentan medidas de mitigación conocidas",
      },
   ],
   id: "CVE-2022-24728",
   lastModified: "2024-11-21T06:50:57.820",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "LOW",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "NONE",
               baseScore: 3.5,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 6.8,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.4,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.3,
            impactScore: 2.7,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.4,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.3,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2022-03-16T16:15:10.907",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/cke4/release/CKEditor-4.18.0",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.drupal.org/sa-core-2022-005",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujul2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/cke4/release/CKEditor-4.18.0",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.drupal.org/sa-core-2022-005",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujul2022.html",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2012-09-05 00:55
Modified
2024-11-21 01:38
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Impacted products



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "44B163FD-1FE9-48C4-B0AA-DD50847FF1F0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.1:beta:*:*:*:*:*:*",
                     matchCriteriaId: "F76C9A2D-841B-40B2-9B20-3D19B8E4D599",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.1:beta2:*:*:*:*:*:*",
                     matchCriteriaId: "5F296BCB-1010-47CD-8710-CB2B811A2CCF",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "0B350AE9-4072-4E78-B891-693E83A10B68",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.2-1:*:*:*:*:*:*:*",
                     matchCriteriaId: "1CBBEAAF-31FB-4EFB-971A-FB6A0A7D237F",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "09808721-056C-4BE8-8BFB-D31D6F95C751",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:beta:*:*:*:*:*:*",
                     matchCriteriaId: "9AEB8F31-C6F3-45D1-95C3-D9F4DE8A011F",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:beta2:*:*:*:*:*:*",
                     matchCriteriaId: "423F1192-70EB-4EA8-8FD2-4DD913513311",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "D21FCEAD-0D7B-4B9B-995F-9DC0B59D9EC5",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc2:*:*:*:*:*:*",
                     matchCriteriaId: "C31D54C7-B2F6-44F5-A7EE-1256F69561A4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc3:*:*:*:*:*:*",
                     matchCriteriaId: "169C2734-5A10-4486-8329-1B4C99377F34",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc5:*:*:*:*:*:*",
                     matchCriteriaId: "D2A96BDD-CE2A-468B-BA11-420013FD962A",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc6:*:*:*:*:*:*",
                     matchCriteriaId: "D36AA137-0B92-4C0C-A110-689CD1D8B13C",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.3:rc7:*:*:*:*:*:*",
                     matchCriteriaId: "7B9AF995-8E15-49E5-A999-D46F4021DF9A",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.4:*:*:*:*:*:*:*",
                     matchCriteriaId: "5E35468C-4F35-44CA-AB5A-B744DAAEA5A5",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.4:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "9BC0703D-CC61-4035-BD4F-4FA225E91247",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.4:rc2:*:*:*:*:*:*",
                     matchCriteriaId: "053CB577-FAA9-4C52-9F70-79EAB0EF2C7F",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-1.x:dev:*:*:*:*:*:*",
                     matchCriteriaId: "80718F1B-01E0-470C-A64B-FE6EF21E7B33",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "3972DA1A-AB39-40C0-B07A-C78A14F4BE9F",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha1:*:*:*:*:*:*",
                     matchCriteriaId: "6D692A34-334E-4EF6-A9A2-00E0DBCBF8F2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha3:*:*:*:*:*:*",
                     matchCriteriaId: "7D8493A8-16C7-4A86-B117-5D6960672A26",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha4:*:*:*:*:*:*",
                     matchCriteriaId: "16A838C7-F87F-4700-978A-CBE29CC05778",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:alpha5:*:*:*:*:*:*",
                     matchCriteriaId: "4204743A-1AF1-453E-816B-89B789421157",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta1:*:*:*:*:*:*",
                     matchCriteriaId: "ACC858F4-915F-4269-89F4-5850E89D95B0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta2:*:*:*:*:*:*",
                     matchCriteriaId: "CC2E4995-E98D-4EBA-8F68-8D1AC8013220",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta3:*:*:*:*:*:*",
                     matchCriteriaId: "2A4AF219-9088-4AF2-8B59-D72B5B8E0EEF",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:beta4:*:*:*:*:*:*",
                     matchCriteriaId: "46BDEF08-D257-47BF-8A43-9968C2B8EF5B",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "5A9FB606-1EF7-4503-839F-4C1C5128C690",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.0:rc2:*:*:*:*:*:*",
                     matchCriteriaId: "D368C7DA-85EA-4B80-AFF8-20FFE4CCD410",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "7E725F77-8490-42E5-B4C2-A905375819EE",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.1:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "19315A5D-A5B4-48A2-9823-E7D079578FF7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "C9E1CF58-3074-4917-953A-7B553D42A22B",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.2:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "D877BB1B-FDDF-4E32-A708-5C4EF293895B",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "2D6AF3DE-116C-4C48-9122-A0AB461F3DA7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:fckeditor:6.x-2.x:dev:*:*:*:*:*:*",
                     matchCriteriaId: "69A13208-719D-4627-BA30-2EE9D7D3D911",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "F8B1170D-AD33-4C7A-892D-63AC71B032CF",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "80ACD9BA-BFAA-4421-BF46-FACC1D8EB66C",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.0:beta1:*:*:*:*:*:*",
                     matchCriteriaId: "7B8252BB-5C2D-40B1-971E-B170DF5D8583",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "7DD74EB7-12C7-495B-86D8-A63FB853A99E",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "39FE612F-4CAC-4D3B-85D2-49201BE699F0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "81515584-8CA5-445C-9396-90236B215104",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.4:*:*:*:*:*:*:*",
                     matchCriteriaId: "3240117F-7FB4-495C-9CAF-7A902499B3D3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.5:*:*:*:*:*:*:*",
                     matchCriteriaId: "ED7C7988-B82E-4BB0-B966-E2D5BFB09E69",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.6:*:*:*:*:*:*:*",
                     matchCriteriaId: "4D62BBD9-C702-4BEA-B8A9-960B31630EA3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.7:*:*:*:*:*:*:*",
                     matchCriteriaId: "61D011F9-21E1-4B47-94D9-68F9E1DF92B2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:6.x-1.x:dev:*:*:*:*:*:*",
                     matchCriteriaId: "7F2EA237-1B55-49F3-B95C-6FAAA28901C8",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "42B69434-2F6F-4D0F-ADB9-FD7BD8A2B296",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.0:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "C3398A12-5E6D-4E6B-80B1-D8C177FA8168",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "6F74FCCC-4DAC-40DE-AA3C-8A77D8250EFA",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "73BF8196-B275-4C69-BE33-3F8D8865D8A0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "0A64FD18-5402-4971-8483-95CF3535B019",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.4:*:*:*:*:*:*:*",
                     matchCriteriaId: "672ACFFD-70C6-457F-BF5B-9B85CCB08959",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.5:*:*:*:*:*:*:*",
                     matchCriteriaId: "8B4D96C8-18E7-45B5-A107-CBFBFF6D2C85",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.6:*:*:*:*:*:*:*",
                     matchCriteriaId: "5DB70B6B-3ECC-459D-98DA-0BB76AE9296D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.x:dev:*:*:*:*:*:*",
                     matchCriteriaId: "07087627-FA8A-4E3B-8509-B1A2E4E864B5",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "F8B1170D-AD33-4C7A-892D-63AC71B032CF",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web script or HTML via unspecified vectors.",
      },
      {
         lang: "es",
         value: "Vulnerabilidad de ejecución de código en sitios cruzados (XSS) en el módulo FCKeditor v6.x-2.x anterior a v6.x-2.3 y el módulo CKEditor v6.x-1.x anterior a v6.x-1.9 y v77.x-1.x anterior a v7.x-1.7 para Drupal permite a usuarios remotos autenticados o atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados.",
      },
   ],
   id: "CVE-2012-2066",
   lastModified: "2024-11-21T01:38:25.357",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
   },
   published: "2012-09-05T00:55:15.137",
   references: [
      {
         source: "secalert@redhat.com",
         tags: [
            "Patch",
         ],
         url: "http://drupal.org/node/1482442",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Patch",
         ],
         url: "http://drupal.org/node/1482466",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Patch",
         ],
         url: "http://drupal.org/node/1482480",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Patch",
            "Vendor Advisory",
         ],
         url: "http://drupal.org/node/1482528",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "http://secunia.com/advisories/48435",
      },
      {
         source: "secalert@redhat.com",
         url: "http://www.openwall.com/lists/oss-security/2012/04/07/1",
      },
      {
         source: "secalert@redhat.com",
         url: "http://www.osvdb.org/80079",
      },
      {
         source: "secalert@redhat.com",
         url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/74036",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "http://drupal.org/node/1482442",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "http://drupal.org/node/1482466",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "http://drupal.org/node/1482480",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Vendor Advisory",
         ],
         url: "http://drupal.org/node/1482528",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "http://secunia.com/advisories/48435",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://www.openwall.com/lists/oss-security/2012/04/07/1",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://www.osvdb.org/80079",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/74036",
      },
   ],
   sourceIdentifier: "secalert@redhat.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2021-11-17 19:15
Modified
2024-11-21 06:25
Summary
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
References
security-advisories@github.comhttps://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprjThird Party Advisory
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
security-advisories@github.comhttps://www.drupal.org/sa-core-2021-011Third Party Advisory
security-advisories@github.comhttps://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
security-advisories@github.comhttps://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
security-advisories@github.comhttps://www.oracle.com/security-alerts/cpujul2022.htmlNot Applicable
af854a3a-2127-422b-91ae-364da2661108https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprjThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
af854a3a-2127-422b-91ae-364da2661108https://www.drupal.org/sa-core-2021-011Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujul2022.htmlNot Applicable



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "B0CAD700-EEEB-4A88-902D-40A62BD7C2D9",
                     versionEndExcluding: "4.17.0",
                     versionStartIncluding: "4.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "32968913-E57B-4EF5-AA96-AECED07BE717",
                     versionEndExcluding: "8.9.20",
                     versionStartIncluding: "8.9.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6D676052-0F9B-4E07-A256-AF075939F05E",
                     versionEndExcluding: "9.1.14",
                     versionStartIncluding: "9.1.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "E1734889-5F48-4F5F-A579-5FFAB4A4B67F",
                     versionEndExcluding: "9.2.9",
                     versionStartIncluding: "9.2.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6DF2D056-3118-4C31-BEDD-69F016898CBB",
                     versionEndIncluding: "18.3",
                     versionStartIncluding: "18.1",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "CF34B11F-3DE1-4C22-8EB1-AEE5CE5E4172",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "86F03B63-F922-45CD-A7D1-326DB0042875",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "7CBFC93F-8B39-45A2-981C-59B187169BD4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "0843465C-F940-4FFC-998D-9A2668B75EA0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "366A6277-5D74-44C8-94A9-8ADB5568B5FB",
                     versionEndIncluding: "18.3",
                     versionStartIncluding: "18.1",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "18127694-109C-4E7E-AE79-0BA351849291",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "0D6895A6-511A-4DC6-9F9B-58E05B86BDB1",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
                     matchCriteriaId: "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "CD4A690A-FA85-4BDA-AA2E-093F726DB7DD",
                     versionEndExcluding: "22.1",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "2A3622F5-5976-4BBC-A147-FC8A6431EA79",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
                     matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*",
                     matchCriteriaId: "C8AF00C6-B97F-414D-A8DF-057E6BFD8597",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "D6A4F71A-4269-40FC-8F61-1D1301F2B728",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "5A502118-5B2B-47AE-82EC-1999BD841103",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
                     matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
                     matchCriteriaId: "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.",
      },
      {
         lang: "es",
         value: "CKEditor4 es un editor HTML WYSIWYG de código abierto.&#xa0;En las versiones afectadas, se detectó una vulnerabilidad en el módulo Advanced Content Filter (ACF) y puede afectar a todos los plugins utilizados por CKEditor 4. La vulnerabilidad permitía inyectar HTML mal formado sin pasar por el saneamiento del contenido, lo que podría resultar en una la ejecución de código JavaScript.&#xa0;Afecta a todos los usuarios que utilizan CKEditor 4 en versiones anteriores a 4.17.0.&#xa0;El problema ha sido reconocido y parcheado.&#xa0;La corrección estará disponible en la versión 4.17.0",
      },
   ],
   id: "CVE-2021-41164",
   lastModified: "2024-11-21T06:25:38.570",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "LOW",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "NONE",
               baseScore: 3.5,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 6.8,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 8.2,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
               version: "3.1",
            },
            exploitabilityScore: 2.3,
            impactScore: 5.3,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.4,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.3,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2021-11-17T19:15:08.913",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://www.drupal.org/sa-core-2021-011",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Not Applicable",
         ],
         url: "https://www.oracle.com/security-alerts/cpujul2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://www.drupal.org/sa-core-2021-011",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Not Applicable",
         ],
         url: "https://www.oracle.com/security-alerts/cpujul2022.html",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2021-06-09 12:15
Modified
2024-11-21 06:09
Summary
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
References
cve@mitre.orghttps://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parserPatch, Release Notes, Vendor Advisory
cve@mitre.orghttps://lists.debian.org/debian-lts-announce/2021/11/msg00007.htmlMailing List, Third Party Advisory
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
cve@mitre.orghttps://www.drupal.org/sa-core-2021-003Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parserPatch, Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2021/11/msg00007.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
af854a3a-2127-422b-91ae-364da2661108https://www.drupal.org/sa-core-2021-003Patch, Third Party Advisory



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "EFFB5240-2238-488D-B690-7C2CA9630212",
                     versionEndExcluding: "4.16.1",
                     versionStartIncluding: "4.14.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                     matchCriteriaId: "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                     matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                     matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "1D3D5EBD-1B9B-468E-9CBF-01F54FA8C2F9",
                     versionEndExcluding: "8.9.16",
                     versionStartIncluding: "8.9.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "AFA9B1A2-DF65-4E25-8CB1-E042734BDCBC",
                     versionEndExcluding: "9.0.14",
                     versionStartIncluding: "9.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "C36AE9CA-FAB9-40C7-AF1B-960C947D4DF4",
                     versionEndExcluding: "9.1.9",
                     versionStartIncluding: "9.1.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.",
      },
      {
         lang: "es",
         value: "Una vulnerabilidad de tipo cross-site scripting (XSS) en el Procesador de Datos HTML en CKEditor versiones 4 4.14.0 hasta 4.16.x versiones anteriores a 4.16.1, permite a atacantes remotos inyectar código JavaScript ejecutable mediante un comentario diseñado porque -!&gt; No es manejado apropiadamente",
      },
   ],
   id: "CVE-2021-33829",
   lastModified: "2024-11-21T06:09:38.707",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2021-06-09T12:15:07.863",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.drupal.org/sa-core-2021-003",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.drupal.org/sa-core-2021-003",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2021-01-26 21:15
Modified
2024-11-21 05:56
Summary
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "4C5F969A-06A2-4D84-B7DF-1CE68E285C0F",
                     versionEndExcluding: "4.16",
                     versionStartIncluding: "4.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*",
                     matchCriteriaId: "ED43772F-D280-42F6-A292-7198284D6FE7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
                     matchCriteriaId: "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6B4D758F-EABD-498C-9C9E-C3F35927F7DC",
                     versionEndExcluding: "21.1.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "C542DC5E-6657-4178-9C69-46FD3C187D56",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "E10F540D-8AAF-42D4-B06A-573C5DC3CC44",
                     versionEndIncluding: "11.3.2",
                     versionStartIncluding: "11.3.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:11.1.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "9B7F80B8-08DC-4263-AB44-1653ED1FEFE3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:11.2.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "4C65F9D9-AD7B-47B8-8943-79CEA6A95AD6",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "40F940AA-05BE-426C-89A3-4098E107D9A7",
                     versionEndIncluding: "8.0.9",
                     versionStartIncluding: "8.0.6",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "6FB8AE1F-FA6B-4A5E-AA5B-D0B7C78FE886",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "41C2C67B-BF55-4B48-A94D-1F37A4FAC68C",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "2D0E8BB8-DB96-48F2-833A-D246193EEDD4",
                     versionEndIncluding: "8.1.0.0.0",
                     versionStartIncluding: "8.0.8.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "86305E47-33E9-411C-B932-08C395C09982",
                     versionEndExcluding: "9.2.6.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "90605BF7-9C9B-4AC2-83B6-3666C5A15D43",
                     versionEndIncluding: "21.9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "D551CAB1-4312-44AA-BDA8-A030817E153A",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "174A6D2E-E42E-4C92-A194-C6A820CD7EF4",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).",
      },
      {
         lang: "es",
         value: "Era posible ejecutar un ataque de tipo ReDoS dentro de CKEditor 4 versiones anteriores a 4.16, al persuadir a una víctima para pegar un texto similar a una URL en el editor y luego presionar Enter o Space  (en el plugin Autolink)",
      },
   ],
   id: "CVE-2021-26272",
   lastModified: "2024-11-21T05:56:00.900",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "PARTIAL",
               baseScore: 4.3,
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 6.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2021-01-26T21:15:12.923",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Release Notes",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com//security-alerts/cpujul2021.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Not Applicable",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com//security-alerts/cpujul2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Not Applicable",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-829",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2021-08-12 17:15
Modified
2024-11-21 06:07
Summary
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.
References
security-advisories@github.comhttps://github.com/ckeditor/ckeditor4/releases/tag/4.16.2Release Notes, Third Party Advisory
security-advisories@github.comhttps://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6cThird Party Advisory
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
security-advisories@github.comhttps://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
security-advisories@github.comhttps://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6cThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:node.js:*:*",
                     matchCriteriaId: "041A9BB3-14C9-4038-AA5B-F30EC249DA40",
                     versionEndExcluding: "4.16.2",
                     versionStartIncluding: "4.13.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                     matchCriteriaId: "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                     matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                     matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "485DEB26-3C1D-4FEC-A9C1-D95BFE3B967E",
                     versionEndExcluding: "21.1.4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "C542DC5E-6657-4178-9C69-46FD3C187D56",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "2A3622F5-5976-4BBC-A147-FC8A6431EA79",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "C91E0944-A93B-4E6C-9547-4FC1A01DEAC6",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:documaker:12.6.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "34019365-E6E3-4DBC-89EA-5783A29B61B0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*",
                     matchCriteriaId: "3A1427F8-50F3-45B2-8836-A80ADA70F431",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "7EA4D3C5-6A7C-4421-88EF-445A96DBCE0C",
                     versionEndIncluding: "8.1.1",
                     versionStartIncluding: "8.0.7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.0.8.0.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "F033C6C8-61D9-41ED-94E6-63BE7BA22EFC",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.0.0.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "4B829B72-7DE0-415F-A1AF-51637F134B76",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "9722362B-027B-4311-8F3A-287AE1199019",
                     versionEndIncluding: "9.2.6.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*",
                     matchCriteriaId: "7E1E416B-920B-49A0-9523-382898C2979D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
                     matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*",
                     matchCriteriaId: "C8AF00C6-B97F-414D-A8DF-057E6BFD8597",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "90605BF7-9C9B-4AC2-83B6-3666C5A15D43",
                     versionEndIncluding: "21.9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "D551CAB1-4312-44AA-BDA8-A030817E153A",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "174A6D2E-E42E-4C92-A194-C6A820CD7EF4",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.",
      },
      {
         lang: "es",
         value: "ckeditor es un editor HTML WYSIWYG de código abierto con soporte de contenido enriquecido. Se ha detectado una vulnerabilidad en el plugin Widget del portapapeles si es usado junto con la funcionalidad undo. La vulnerabilidad permite a un usuario abusar de la funcionalidad undo usando HTML malformado del widget, lo que podría resultar en una ejecución de código JavaScript. Afecta a todos los usuarios que usen los plugins de CKEditor 4 mencionados anteriormente en las versiones posteriores a 4.13.0 incluyéndola. El problema ha sido reconocido y parcheado. La corrección estará disponible en la versión 4.16.2",
      },
   ],
   id: "CVE-2021-32808",
   lastModified: "2024-11-21T06:07:47.340",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "LOW",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "NONE",
               baseScore: 3.5,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 6.8,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.6,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.3,
            impactScore: 4.7,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.4,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.3,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2021-08-12T17:15:08.047",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Release Notes",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2021-11-17 20:15
Modified
2024-11-21 06:25
Summary
CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "731006DE-2F79-4025-B00A-91691BC711C7",
                     versionEndExcluding: "4.17.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "32968913-E57B-4EF5-AA96-AECED07BE717",
                     versionEndExcluding: "8.9.20",
                     versionStartIncluding: "8.9.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6D676052-0F9B-4E07-A256-AF075939F05E",
                     versionEndExcluding: "9.1.14",
                     versionStartIncluding: "9.1.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "E1734889-5F48-4F5F-A579-5FFAB4A4B67F",
                     versionEndExcluding: "9.2.9",
                     versionStartIncluding: "9.2.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.6:*:*:*:*:*:*:*",
                     matchCriteriaId: "4305ED0E-30CC-4AEA-8988-3D1EC93A0BB2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "CD4A690A-FA85-4BDA-AA2E-093F726DB7DD",
                     versionEndExcluding: "22.1",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6DF2D056-3118-4C31-BEDD-69F016898CBB",
                     versionEndIncluding: "18.3",
                     versionStartIncluding: "18.1",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "CF34B11F-3DE1-4C22-8EB1-AEE5CE5E4172",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "86F03B63-F922-45CD-A7D1-326DB0042875",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "7CBFC93F-8B39-45A2-981C-59B187169BD4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "0843465C-F940-4FFC-998D-9A2668B75EA0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "366A6277-5D74-44C8-94A9-8ADB5568B5FB",
                     versionEndIncluding: "18.3",
                     versionStartIncluding: "18.1",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "18127694-109C-4E7E-AE79-0BA351849291",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "0D6895A6-511A-4DC6-9F9B-58E05B86BDB1",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "2A3622F5-5976-4BBC-A147-FC8A6431EA79",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
                     matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*",
                     matchCriteriaId: "C8AF00C6-B97F-414D-A8DF-057E6BFD8597",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "D6A4F71A-4269-40FC-8F61-1D1301F2B728",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "5A502118-5B2B-47AE-82EC-1999BD841103",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.",
      },
      {
         lang: "es",
         value: "CKEditor4 es un editor HTML WYSIWYG de código abierto. En la versión afectada se ha detectado una vulnerabilidad en el módulo central de procesamiento de HTML y puede afectar a todos los plugins usados por CKEditor 4. La vulnerabilidad permitía inyectar comentarios HTML malformados omitiendo el saneo del contenido, lo que podía resultar en una ejecución de código JavaScript. Afecta a todos los usuarios que usan el CKEditor 4 en las versiones anteriores a 4.17.0. El problema ha sido reconocido y parcheado. La corrección estará disponible en la versión 4.17.0.",
      },
   ],
   id: "CVE-2021-41165",
   lastModified: "2024-11-21T06:25:38.867",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "LOW",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "NONE",
               baseScore: 3.5,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 6.8,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 8.2,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
               version: "3.1",
            },
            exploitabilityScore: 2.3,
            impactScore: 5.3,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.4,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.3,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2021-11-17T20:15:10.273",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://www.drupal.org/sa-core-2021-011",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Not Applicable",
         ],
         url: "https://www.oracle.com/security-alerts/cpujul2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://www.drupal.org/sa-core-2021-011",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Not Applicable",
         ],
         url: "https://www.oracle.com/security-alerts/cpujul2022.html",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2014-08-07 11:13
Modified
2024-11-21 02:11
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Impacted products
Vendor Product Version
ckeditor ckeditor *
ckeditor ckeditor 4.4.0
ckeditor ckeditor 4.4.1



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "09B89F11-D1ED-41DF-8AA7-907D9B36C56D",
                     versionEndIncluding: "4.4.2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:4.4.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "F8FEA9F6-DDAA-4883-BC0D-415DBC827272",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:4.4.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "EBA4A112-D497-49CC-B204-A628A00852A2",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.",
      },
      {
         lang: "es",
         value: "Vulnerabilidad de XSS en el plugin Preview anterior a 4.4.3 en CKEditor permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados.",
      },
   ],
   id: "CVE-2014-5191",
   lastModified: "2024-11-21T02:11:35.260",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
   },
   published: "2014-08-07T11:13:37.063",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Vendor Advisory",
         ],
         url: "http://ckeditor.com/node/136981",
      },
      {
         source: "cve@mitre.org",
         url: "http://secunia.com/advisories/60036",
      },
      {
         source: "cve@mitre.org",
         url: "http://www.securityfocus.com/bid/69161",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Vendor Advisory",
         ],
         url: "http://ckeditor.com/node/136981",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://secunia.com/advisories/60036",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://www.securityfocus.com/bid/69161",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2020-11-12 21:15
Modified
2024-11-21 05:20
Summary
A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:4.15.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "11FB2D9A-A2A3-40BC-98DF-F227851FA30E",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*",
                     matchCriteriaId: "ED43772F-D280-42F6-A292-7198284D6FE7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
                     matchCriteriaId: "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "8F02ECEF-AC7D-4C4C-9A95-890D135F7286",
                     versionEndExcluding: "21.1.0.00.01",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "C542DC5E-6657-4178-9C69-46FD3C187D56",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "C2BEE49E-A5AA-42D3-B422-460454505480",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "282150FF-C945-4A3E-8A80-E8757A8907EA",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "645AA3D1-C8B5-4CD2-8ACE-31541FA267F0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "FBCE22C0-4253-40A5-89AE-499A3BC9EFF3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "AB9FC9AB-1070-420F-870E-A5EC43A924A4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:11.0.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "B5989E02-5612-4E7F-958F-9292CBBA1D2A",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:11.1.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "9B7F80B8-08DC-4263-AB44-1653ED1FEFE3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:11.2.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "4C65F9D9-AD7B-47B8-8943-79CEA6A95AD6",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:11.3.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "888A8458-7E66-4BDB-998A-EE3A9253499A",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:11.3.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "011EA344-1A80-4482-A505-65C83D21E5B3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "C91E0944-A93B-4E6C-9547-4FC1A01DEAC6",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "40F940AA-05BE-426C-89A3-4098E107D9A7",
                     versionEndIncluding: "8.0.9",
                     versionStartIncluding: "8.0.6",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "6FB8AE1F-FA6B-4A5E-AA5B-D0B7C78FE886",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "41C2C67B-BF55-4B48-A94D-1F37A4FAC68C",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "86305E47-33E9-411C-B932-08C395C09982",
                     versionEndExcluding: "9.2.6.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*",
                     matchCriteriaId: "D0A735B4-4F3C-416B-8C08-9CB21BAD2889",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*",
                     matchCriteriaId: "7E1E416B-920B-49A0-9523-382898C2979D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
                     matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.",
      },
      {
         lang: "es",
         value: "Una vulnerabilidad de tipo cross-site scripting (XSS) en el plugin Color Dialog para CKEditor versión 4.15.0, permite a atacantes remotos ejecutar script web arbitrario después de persuadir a un usuario para que copie y pegue código HTML diseñado en una de las entradas del editor",
      },
   ],
   id: "CVE-2020-27193",
   lastModified: "2024-11-21T05:20:50.663",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-11-12T21:15:11.107",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/cke4/release/CKEditor-4.15.1",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/ckeditor-4/download/",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com//security-alerts/cpujul2021.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuApr2021.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/cke4/release/CKEditor-4.15.1",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/ckeditor-4/download/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com//security-alerts/cpujul2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuApr2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2021-08-12 17:15
Modified
2024-11-21 06:07
Summary
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
References
security-advisories@github.comhttps://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpggThird Party Advisory
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
security-advisories@github.comhttps://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
security-advisories@github.comhttps://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpggThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:node.js:*:*",
                     matchCriteriaId: "6D43BFDE-1C1E-45E3-B275-B6B0BC33E30C",
                     versionEndExcluding: "4.16.2",
                     versionStartIncluding: "4.5.2",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                     matchCriteriaId: "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                     matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                     matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "485DEB26-3C1D-4FEC-A9C1-D95BFE3B967E",
                     versionEndExcluding: "21.1.4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "C542DC5E-6657-4178-9C69-46FD3C187D56",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "2A3622F5-5976-4BBC-A147-FC8A6431EA79",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "C91E0944-A93B-4E6C-9547-4FC1A01DEAC6",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:documaker:12.6.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "34019365-E6E3-4DBC-89EA-5783A29B61B0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*",
                     matchCriteriaId: "3A1427F8-50F3-45B2-8836-A80ADA70F431",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "7EA4D3C5-6A7C-4421-88EF-445A96DBCE0C",
                     versionEndIncluding: "8.1.1",
                     versionStartIncluding: "8.0.7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "86305E47-33E9-411C-B932-08C395C09982",
                     versionEndExcluding: "9.2.6.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*",
                     matchCriteriaId: "7E1E416B-920B-49A0-9523-382898C2979D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
                     matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*",
                     matchCriteriaId: "C8AF00C6-B97F-414D-A8DF-057E6BFD8597",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.",
      },
      {
         lang: "es",
         value: "ckeditor es un editor HTML WYSIWYG de código abierto con soporte de contenido enriquecido. Se ha detectado una potencial vulnerabilidad en el paquete CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard). La vulnerabilidad permitía abusar de la funcionalidad paste usando HTML malformado, lo que podía resultar en la inyección de HTML arbitrario en el editor. Afecta a todos los usuarios que usen los plugins de CKEditor 4 mencionados anteriormente en las versiones posteriores a 4.5.2 incluyéndola. El problema ha sido reconocido y parcheado. La corrección estará disponible en la versión 4.16.2",
      },
   ],
   id: "CVE-2021-32809",
   lastModified: "2024-11-21T06:07:47.520",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "LOW",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "NONE",
               baseScore: 3.5,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 6.8,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.6,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.1,
            impactScore: 2.5,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.4,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.3,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2021-08-12T17:15:08.167",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-94",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2022-03-16 17:15
Modified
2024-11-21 06:50
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.
References
security-advisories@github.comhttps://ckeditor.com/cke4/release/CKEditor-4.18.0Release Notes, Vendor Advisory
security-advisories@github.comhttps://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hhThird Party Advisory
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
security-advisories@github.comhttps://www.drupal.org/sa-core-2022-005Patch, Third Party Advisory
security-advisories@github.comhttps://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://ckeditor.com/cke4/release/CKEditor-4.18.0Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hhThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
af854a3a-2127-422b-91ae-364da2661108https://www.drupal.org/sa-core-2022-005Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "EC4BF70E-8D8F-4E6E-87BC-0103C0ED541F",
                     versionEndExcluding: "4.18.0",
                     versionStartIncluding: "4.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "40450340-0D4F-4A9F-AADB-1708F844690A",
                     versionEndExcluding: "9.2.15",
                     versionStartIncluding: "8.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "A9992D37-51EB-4011-9335-D1653AE2D59B",
                     versionEndExcluding: "9.3.8",
                     versionStartIncluding: "9.3.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "48B23728-0050-4AF0-B8B0-A959CBAB4505",
                     versionEndExcluding: "22.1.1",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "C91E0944-A93B-4E6C-9547-4FC1A01DEAC6",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6135501A-3F3C-42BA-B2C4-79403F3510D8",
                     versionEndIncluding: "8.1.0.0.0",
                     versionStartIncluding: "8.0.7.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "3CC69CF0-6269-40F5-871B-16CFD5EC4C45",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "172BECE8-9626-4910-AAA1-A2FA9C7139E3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "ACB82398-7281-47CF-81F9-A8A67D9C9DFE",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "AD9AC3A6-9B91-4B55-A320-A40E95F21058",
                     versionEndIncluding: "8.1.2.1",
                     versionStartIncluding: "8.1.1.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "B0EF38D2-EF89-4DBC-B305-1A5D5FC0B186",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "155FF008-1054-4943-B1C3-9117E3E51AC3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7:*:*:*:enterprise:*:*:*",
                     matchCriteriaId: "B57ECC6E-CC64-4DE7-B657-3BA54EDDFFF4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8:*:*:*:enterprise:*:*:*",
                     matchCriteriaId: "10BBAD37-51A1-4819-807B-2642E9D4A69C",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
                     matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*",
                     matchCriteriaId: "C8AF00C6-B97F-414D-A8DF-057E6BFD8597",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
                     matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
                     matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
                     matchCriteriaId: "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.",
      },
      {
         lang: "es",
         value: "CKEditor4 es un editor HTML de código abierto \"lo que visualizas es lo que obtienes\". CKEditor4 versiones anteriores a 4.18.0, contiene una vulnerabilidad en el plugin \"dialog\". La vulnerabilidad permite abusar de una expresión regular del validador de entrada de diálogos, lo que puede causar una importante caída de rendimiento resultando en una congelación de la pestaña del navegador. Se presenta un parche disponible en versión 4.18.0. Actualmente no se conocen medidas de mitigación",
      },
   ],
   id: "CVE-2022-24729",
   lastModified: "2024-11-21T06:50:57.993",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "PARTIAL",
               baseScore: 5,
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 6.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 3.6,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 7.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2022-03-16T17:15:07.943",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/cke4/release/CKEditor-4.18.0",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.drupal.org/sa-core-2022-005",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujul2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/cke4/release/CKEditor-4.18.0",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.drupal.org/sa-core-2022-005",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujul2022.html",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-400",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-1333",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2024-02-07 16:15
Modified
2024-11-21 08:59
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.
Impacted products
Vendor Product Version
ckeditor ckeditor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:lts:*:*:*",
                     matchCriteriaId: "5070BF32-E186-434A-9640-21D43A3CDA38",
                     versionEndExcluding: "4.24.0",
                     versionStartIncluding: "4.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.",
      },
      {
         lang: "es",
         value: "CKEditor4 es un editor HTML de código abierto de lo que ves es lo que obtienes. Se ha descubierto una vulnerabilidad de cross-site scripting en el módulo principal de análisis HTML en versiones de CKEditor4 anteriores a la 4.24.0-lts. Puede afectar a todas las instancias del editor que habilitaron el modo de edición de página completa o habilitaron elementos CDATA en la configuración de filtrado de contenido avanzado (los elementos predeterminados son `script` y `style`). La vulnerabilidad permite a los atacantes inyectar contenido HTML con formato incorrecto sin pasar por el mecanismo de filtrado de contenido avanzado, lo que podría resultar en la ejecución de código JavaScript. Un atacante podría abusar de la detección de contenido CDATA defectuosa y utilizarla para preparar un ataque intencional al editor. Hay una solución disponible en la versión 4.24.0-lts.",
      },
   ],
   id: "CVE-2024-24815",
   lastModified: "2024-11-21T08:59:46.343",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-02-07T16:15:47.753",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Product",
         ],
         url: "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Product",
         ],
         url: "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Product",
         ],
         url: "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
         ],
         url: "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm",
      },
      {
         source: "security-advisories@github.com",
         url: "https://www.drupal.org/sa-contrib-2024-009",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Product",
         ],
         url: "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Product",
         ],
         url: "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Product",
         ],
         url: "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://www.drupal.org/sa-contrib-2024-009",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "security-advisories@github.com",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2023-06-13 17:15
Modified
2025-01-03 20:15
Summary
A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server.
Impacted products
Vendor Product Version
ckeditor ckeditor 1.2.3



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:1.2.3:*:*:*:*:redmine:*:*",
                     matchCriteriaId: "F8ED9F26-7429-434C-8FD9-5D1C6825DEB9",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server.",
      },
   ],
   id: "CVE-2023-31541",
   lastModified: "2025-01-03T20:15:26.650",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 9.8,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 9.8,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 5.9,
            source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
            type: "Secondary",
         },
      ],
   },
   published: "2023-06-13T17:15:14.810",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Broken Link",
         ],
         url: "http://redmine.com",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Broken Link",
         ],
         url: "http://redmineckeditor.com",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://github.com/DreamD2v/CVE-2023-31541/blob/main/CVE-2023-31541.md",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Broken Link",
         ],
         url: "http://redmine.com",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Broken Link",
         ],
         url: "http://redmineckeditor.com",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://github.com/DreamD2v/CVE-2023-31541/blob/main/CVE-2023-31541.md",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-434",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-434",
            },
         ],
         source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
         type: "Secondary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2019-11-13 21:15
Modified
2024-11-21 01:33
Summary
hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request.
Impacted products
Vendor Product Version
ckeditor ckeditor 7.x-1.4



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:7.x-1.4:*:*:*:*:drupal:*:*",
                     matchCriteriaId: "D603E623-A4E6-411F-BA65-3391FEA5550A",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request.",
      },
      {
         lang: "es",
         value: "La función hook_file_download en el módulo CKEditor versiones 7.x-1.4 para Drupal, no restringe correctamente el acceso a archivos privados, lo que permite a atacantes remotos leer archivos privados por medio de una petición directa.",
      },
   ],
   id: "CVE-2011-4972",
   lastModified: "2024-11-21T01:33:23.483",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 5,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2019-11-13T21:15:11.430",
   references: [
      {
         source: "secalert@redhat.com",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2013/06/04/5",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2013/06/04/7",
      },
      {
         source: "secalert@redhat.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://drupal.org/node/1337006",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2013/06/04/5",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "http://www.openwall.com/lists/oss-security/2013/06/04/7",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://drupal.org/node/1337006",
      },
   ],
   sourceIdentifier: "secalert@redhat.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-200",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2023-03-22 21:15
Modified
2024-11-21 07:55
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.
References
security-advisories@github.comhttps://ckeditor.com/cke4/addon/embedProduct
security-advisories@github.comhttps://ckeditor.com/cke4/addon/iframeProduct
security-advisories@github.comhttps://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9gVendor Advisory
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWKG2VCPJNETVCDTXU4X6FQ2PO6XCNGN/Mailing List, Third Party Advisory
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4ODGOW6PYVOXHQSMWJBOCE6DXWAI33W/Mailing List, Third Party Advisory
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCYKD3JZWWA3ESOZG4PHJJEXT4EYIUIQ/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://ckeditor.com/cke4/addon/embedProduct
af854a3a-2127-422b-91ae-364da2661108https://ckeditor.com/cke4/addon/iframeProduct
af854a3a-2127-422b-91ae-364da2661108https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9gVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWKG2VCPJNETVCDTXU4X6FQ2PO6XCNGN/Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4ODGOW6PYVOXHQSMWJBOCE6DXWAI33W/Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCYKD3JZWWA3ESOZG4PHJJEXT4EYIUIQ/Mailing List
Impacted products



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0DFC29A5-004B-4815-AF02-37517672D3F1",
                     versionEndExcluding: "4.21.0",
                     versionStartIncluding: "4.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
                     matchCriteriaId: "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
                     matchCriteriaId: "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
                     matchCriteriaId: "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism.\n\nA fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.",
      },
   ],
   id: "CVE-2023-28439",
   lastModified: "2024-11-21T07:55:04.157",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.7,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.6,
            impactScore: 2.7,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-03-22T21:15:18.607",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Product",
         ],
         url: "https://ckeditor.com/cke4/addon/embed",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Product",
         ],
         url: "https://ckeditor.com/cke4/addon/iframe",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWKG2VCPJNETVCDTXU4X6FQ2PO6XCNGN/",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4ODGOW6PYVOXHQSMWJBOCE6DXWAI33W/",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Mailing List",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCYKD3JZWWA3ESOZG4PHJJEXT4EYIUIQ/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Product",
         ],
         url: "https://ckeditor.com/cke4/addon/embed",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Product",
         ],
         url: "https://ckeditor.com/cke4/addon/iframe",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWKG2VCPJNETVCDTXU4X6FQ2PO6XCNGN/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4ODGOW6PYVOXHQSMWJBOCE6DXWAI33W/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCYKD3JZWWA3ESOZG4PHJJEXT4EYIUIQ/",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2021-08-13 00:15
Modified
2024-11-21 06:15
Summary
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
References
security-advisories@github.comhttps://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhcThird Party Advisory
security-advisories@github.comhttps://lists.debian.org/debian-lts-announce/2021/11/msg00007.htmlMailing List, Third Party Advisory
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
security-advisories@github.comhttps://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
security-advisories@github.comhttps://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhcThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2021/11/msg00007.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6BEAA71B-F9E5-441E-AB08-E76DAF0A32F8",
                     versionEndExcluding: "4.16.2",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                     matchCriteriaId: "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                     matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                     matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "485DEB26-3C1D-4FEC-A9C1-D95BFE3B967E",
                     versionEndExcluding: "21.1.4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "C542DC5E-6657-4178-9C69-46FD3C187D56",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "2A3622F5-5976-4BBC-A147-FC8A6431EA79",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "C91E0944-A93B-4E6C-9547-4FC1A01DEAC6",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:documaker:12.6.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "34019365-E6E3-4DBC-89EA-5783A29B61B0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*",
                     matchCriteriaId: "3A1427F8-50F3-45B2-8836-A80ADA70F431",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "7EA4D3C5-6A7C-4421-88EF-445A96DBCE0C",
                     versionEndIncluding: "8.1.1",
                     versionStartIncluding: "8.0.7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:*",
                     matchCriteriaId: "F238CB66-886D-47E8-8DC0-7FC2025771EB",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "2D0E8BB8-DB96-48F2-833A-D246193EEDD4",
                     versionEndIncluding: "8.1.0.0.0",
                     versionStartIncluding: "8.0.8.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "86305E47-33E9-411C-B932-08C395C09982",
                     versionEndExcluding: "9.2.6.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*",
                     matchCriteriaId: "7E1E416B-920B-49A0-9523-382898C2979D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
                     matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*",
                     matchCriteriaId: "C8AF00C6-B97F-414D-A8DF-057E6BFD8597",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.",
      },
      {
         lang: "es",
         value: "ckeditor es un editor HTML WYSIWYG de código abierto con soporte de contenido enriquecido.&#xa0;Se ha detectado una vulnerabilidad potencial en el paquete CKEditor 4 [Fake Objects] (https://ckeditor.com/cke4/addon/fakeobjects).&#xa0;La vulnerabilidad permitió inyectar Fake Objects HTML con formato malformado, lo que podría resultar en una ejecución de código JavaScript.&#xa0;Afecta a todos los usuarios que utilizan los plugins de CKEditor 4 enumerados anteriormente en las versiones anteriores a 4.16.2.&#xa0;El problema ha sido reconocido y solucionado.&#xa0;La corrección estará disponible en la versión 4.16.2.",
      },
   ],
   id: "CVE-2021-37695",
   lastModified: "2024-11-21T06:15:43.433",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "LOW",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "SINGLE",
               availabilityImpact: "NONE",
               baseScore: 3.5,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 6.8,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.3,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.1,
            impactScore: 5.2,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.4,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.3,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2021-08-13T00:15:07.397",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpujan2022.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2018-11-14 20:29
Modified
2024-11-21 03:55
Summary
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
Impacted products
Vendor Product Version
ckeditor ckeditor *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "C2EF5C75-2EE5-4D61-99C7-106E0044FFB1",
                     versionEndExcluding: "4.11.0",
                     versionStartIncluding: "4.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.",
      },
      {
         lang: "es",
         value: "CKEditor en versiones 4.x anteriores a la 4.11.0 permite Cross-Site Scripting (XSS) ayudado por un usuario relacionado con una operación de pegado en modo origen.",
      },
   ],
   id: "CVE-2018-17960",
   lastModified: "2024-11-21T03:55:17.017",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV30: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.0",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2018-11-14T20:29:00.433",
   references: [
      {
         source: "cve@mitre.org",
         url: "http://www.securityfocus.com/bid/109205",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/cke4/release/CKEditor-4.11.0",
      },
      {
         source: "cve@mitre.org",
         url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://www.securityfocus.com/bid/109205",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/cke4/release/CKEditor-4.11.0",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2023-02-13 20:15
Modified
2024-11-21 07:32
Summary
CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false).
Impacted products
Vendor Product Version
ckeditor ckeditor 35.4.0



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:ckeditor:ckeditor:35.4.0:*:*:*:*:node.js:*:*",
                     matchCriteriaId: "F2BA326D-74B1-4665-9DE4-5F5E85D4741A",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [
      {
         sourceIdentifier: "cve@mitre.org",
         tags: [
            "disputed",
         ],
      },
   ],
   descriptions: [
      {
         lang: "en",
         value: "CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false).",
      },
      {
         lang: "es",
         value: "Se descubrió que CKSource CKEditor 5 35.4.0 contiene una vulnerabilidad de cross-site scripting (XSS) a través del widget CKEditor5 con todas las funciones. NOTA: la posición del proveedor es que esto no es una vulnerabilidad. La documentación de CKEditor 5 analiza que es responsabilidad de un integrador (que agrega la funcionalidad de CKEditor 5 a un sitio web) elegir la configuración de seguridad correcta para su caso de uso. Además, se establecen valores predeterminados seguros (por ejemplo, config.htmlEmbed.showPreviews es falso).",
      },
   ],
   id: "CVE-2022-48110",
   lastModified: "2024-11-21T07:32:50.707",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "LOW",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 2.7,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-02-13T20:15:10.820",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Broken Link",
         ],
         url: "https://packetstormsecurity.com/files/170927/CKSource-CKEditor5-35.4.0-Cross-Site-Scripting.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Broken Link",
         ],
         url: "https://packetstormsecurity.com/files/170927/CKSource-CKEditor5-35.4.0-Cross-Site-Scripting.html",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

cve-2021-37695
Vulnerability from cvelistv5
Published
2021-08-12 23:10
Modified
2024-08-04 01:23
Summary
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
Impacted products
Vendor Product Version
ckeditor ckeditor4 Version: < 4.16.2
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T01:23:01.506Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58",
               },
               {
                  name: "FEDORA-2021-51457da891",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
               },
               {
                  name: "FEDORA-2021-72176a63a8",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
               },
               {
                  name: "FEDORA-2021-87578dca12",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
               },
               {
                  name: "[debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujan2022.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "ckeditor4",
               vendor: "ckeditor",
               versions: [
                  {
                     status: "affected",
                     version: "< 4.16.2",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.3,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-79",
                     description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-02-07T14:42:37",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58",
            },
            {
               name: "FEDORA-2021-51457da891",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
            },
            {
               name: "FEDORA-2021-72176a63a8",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
            },
            {
               name: "FEDORA-2021-87578dca12",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
            },
            {
               name: "[debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpujan2022.html",
            },
         ],
         source: {
            advisory: "GHSA-m94c-37g6-cjhc",
            discovery: "UNKNOWN",
         },
         title: "Execution of JavaScript code using malformed HTML in ckeditor",
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "security-advisories@github.com",
               ID: "CVE-2021-37695",
               STATE: "PUBLIC",
               TITLE: "Execution of JavaScript code using malformed HTML in ckeditor",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "ckeditor4",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "< 4.16.2",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "ckeditor",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.3,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc",
                     refsource: "CONFIRM",
                     url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc",
                  },
                  {
                     name: "https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58",
                     refsource: "MISC",
                     url: "https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58",
                  },
                  {
                     name: "FEDORA-2021-51457da891",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
                  },
                  {
                     name: "FEDORA-2021-72176a63a8",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
                  },
                  {
                     name: "FEDORA-2021-87578dca12",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  },
                  {
                     name: "[debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpujan2022.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpujan2022.html",
                  },
               ],
            },
            source: {
               advisory: "GHSA-m94c-37g6-cjhc",
               discovery: "UNKNOWN",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2021-37695",
      datePublished: "2021-08-12T23:10:10",
      dateReserved: "2021-07-29T00:00:00",
      dateUpdated: "2024-08-04T01:23:01.506Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-48110
Vulnerability from cvelistv5
Published
2023-02-13 00:00
Modified
2024-08-03 15:02
Severity ?
Summary
CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false).
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T15:02:36.668Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://packetstormsecurity.com/files/170927/CKSource-CKEditor5-35.4.0-Cross-Site-Scripting.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "CKSource CKEditor 5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget. NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case. Also, safe default values are established (e.g., config.htmlEmbed.showPreviews is false).",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-02-14T00:00:00",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               url: "https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html",
            },
            {
               url: "https://packetstormsecurity.com/files/170927/CKSource-CKEditor5-35.4.0-Cross-Site-Scripting.html",
            },
         ],
         tags: [
            "disputed",
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2022-48110",
      datePublished: "2023-02-13T00:00:00",
      dateReserved: "2022-12-29T00:00:00",
      dateUpdated: "2024-08-03T15:02:36.668Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-33829
Vulnerability from cvelistv5
Published
2021-06-09 11:51
Modified
2024-08-03 23:58
Severity ?
Summary
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T23:58:23.102Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.drupal.org/sa-core-2021-003",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser",
               },
               {
                  name: "FEDORA-2021-51457da891",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
               },
               {
                  name: "FEDORA-2021-72176a63a8",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
               },
               {
                  name: "FEDORA-2021-87578dca12",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
               },
               {
                  name: "[debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-11-09T10:06:15",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.drupal.org/sa-core-2021-003",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser",
            },
            {
               name: "FEDORA-2021-51457da891",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
            },
            {
               name: "FEDORA-2021-72176a63a8",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
            },
            {
               name: "FEDORA-2021-87578dca12",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
            },
            {
               name: "[debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2021-33829",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://www.drupal.org/sa-core-2021-003",
                     refsource: "CONFIRM",
                     url: "https://www.drupal.org/sa-core-2021-003",
                  },
                  {
                     name: "https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser",
                     refsource: "MISC",
                     url: "https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser",
                  },
                  {
                     name: "FEDORA-2021-51457da891",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
                  },
                  {
                     name: "FEDORA-2021-72176a63a8",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
                  },
                  {
                     name: "FEDORA-2021-87578dca12",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
                  },
                  {
                     name: "[debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2021-33829",
      datePublished: "2021-06-09T11:51:00",
      dateReserved: "2021-06-03T00:00:00",
      dateUpdated: "2024-08-03T23:58:23.102Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2014-5191
Vulnerability from cvelistv5
Published
2014-08-07 10:00
Modified
2024-08-06 11:34
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
http://ckeditor.com/node/136981x_refsource_CONFIRM
http://secunia.com/advisories/60036third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/bid/69161vdb-entry, x_refsource_BID
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-06T11:34:37.519Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://ckeditor.com/node/136981",
               },
               {
                  name: "60036",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/60036",
               },
               {
                  name: "69161",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/69161",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2014-07-15T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2015-04-29T18:57:00",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://ckeditor.com/node/136981",
            },
            {
               name: "60036",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/60036",
            },
            {
               name: "69161",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/69161",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2014-5191",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "http://ckeditor.com/node/136981",
                     refsource: "CONFIRM",
                     url: "http://ckeditor.com/node/136981",
                  },
                  {
                     name: "60036",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/60036",
                  },
                  {
                     name: "69161",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/69161",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2014-5191",
      datePublished: "2014-08-07T10:00:00",
      dateReserved: "2014-08-07T00:00:00",
      dateUpdated: "2024-08-06T11:34:37.519Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-24728
Vulnerability from cvelistv5
Published
2022-03-16 00:00
Modified
2024-08-03 04:20
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
Impacted products
Vendor Product Version
ckeditor ckeditor4 Version: < 4.18.0
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T04:20:49.856Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/cke4/release/CKEditor-4.18.0",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujul2022.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.drupal.org/sa-core-2022-005",
               },
               {
                  name: "FEDORA-2022-b61dfd219b",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/",
               },
               {
                  name: "FEDORA-2022-4c634ee466",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "ckeditor4",
               vendor: "ckeditor",
               versions: [
                  {
                     status: "affected",
                     version: "< 4.18.0",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.4,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-79",
                     description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-11-14T00:00:00",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89",
            },
            {
               url: "https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949",
            },
            {
               url: "https://ckeditor.com/cke4/release/CKEditor-4.18.0",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpujul2022.html",
            },
            {
               url: "https://www.drupal.org/sa-core-2022-005",
            },
            {
               name: "FEDORA-2022-b61dfd219b",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/",
            },
            {
               name: "FEDORA-2022-4c634ee466",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/",
            },
         ],
         source: {
            advisory: "GHSA-4fc4-4p5g-6w89",
            discovery: "UNKNOWN",
         },
         title: "Cross-site Scripting in CKEditor4",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2022-24728",
      datePublished: "2022-03-16T00:00:00",
      dateReserved: "2022-02-10T00:00:00",
      dateUpdated: "2024-08-03T04:20:49.856Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-27193
Vulnerability from cvelistv5
Published
2020-11-12 20:31
Modified
2024-08-04 16:11
Severity ?
Summary
A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T16:11:35.976Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/ckeditor-4/download/",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuApr2021.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/cke4/release/CKEditor-4.15.1",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com//security-alerts/cpujul2021.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-10-20T10:39:35",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://ckeditor.com/ckeditor-4/download/",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuApr2021.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://ckeditor.com/cke4/release/CKEditor-4.15.1",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com//security-alerts/cpujul2021.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-27193",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://ckeditor.com/ckeditor-4/download/",
                     refsource: "MISC",
                     url: "https://ckeditor.com/ckeditor-4/download/",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuApr2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  },
                  {
                     name: "https://ckeditor.com/cke4/release/CKEditor-4.15.1",
                     refsource: "CONFIRM",
                     url: "https://ckeditor.com/cke4/release/CKEditor-4.15.1",
                  },
                  {
                     name: "https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/",
                     refsource: "CONFIRM",
                     url: "https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/",
                  },
                  {
                     name: "https://www.oracle.com//security-alerts/cpujul2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com//security-alerts/cpujul2021.html",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-27193",
      datePublished: "2020-11-12T20:31:41",
      dateReserved: "2020-10-16T00:00:00",
      dateUpdated: "2024-08-04T16:11:35.976Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-9440
Vulnerability from cvelistv5
Published
2020-03-10 16:57
Modified
2024-08-04 10:26
Severity ?
Summary
A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T10:26:16.100Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed",
               },
               {
                  name: "FEDORA-2020-8d5de93970",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/",
               },
               {
                  name: "FEDORA-2020-261449d821",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/",
               },
               {
                  name: "FEDORA-2020-a832c215bf",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-03-29T03:06:02",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed",
            },
            {
               name: "FEDORA-2020-8d5de93970",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/",
            },
            {
               name: "FEDORA-2020-261449d821",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/",
            },
            {
               name: "FEDORA-2020-a832c215bf",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-9440",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed",
                     refsource: "MISC",
                     url: "https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed",
                  },
                  {
                     name: "FEDORA-2020-8d5de93970",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/",
                  },
                  {
                     name: "FEDORA-2020-261449d821",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/",
                  },
                  {
                     name: "FEDORA-2020-a832c215bf",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-9440",
      datePublished: "2020-03-10T16:57:12",
      dateReserved: "2020-02-28T00:00:00",
      dateUpdated: "2024-08-04T10:26:16.100Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-41164
Vulnerability from cvelistv5
Published
2021-11-17 00:00
Modified
2024-08-04 02:59
Summary
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
Impacted products
Vendor Product Version
ckeditor ckeditor4 Version: < 4.17.0
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T02:59:31.641Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujan2022.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.drupal.org/sa-core-2021-011",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujul2022.html",
               },
               {
                  name: "FEDORA-2022-b61dfd219b",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/",
               },
               {
                  name: "FEDORA-2022-4c634ee466",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "ckeditor4",
               vendor: "ckeditor",
               versions: [
                  {
                     status: "affected",
                     version: "< 4.17.0",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 8.2,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-79",
                     description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-11-14T00:00:00",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj",
            },
            {
               url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpujan2022.html",
            },
            {
               url: "https://www.drupal.org/sa-core-2021-011",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpujul2022.html",
            },
            {
               name: "FEDORA-2022-b61dfd219b",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/",
            },
            {
               name: "FEDORA-2022-4c634ee466",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/",
            },
         ],
         source: {
            advisory: "GHSA-pvmx-g8h5-cprj",
            discovery: "UNKNOWN",
         },
         title: "Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2021-41164",
      datePublished: "2021-11-17T00:00:00",
      dateReserved: "2021-09-15T00:00:00",
      dateUpdated: "2024-08-04T02:59:31.641Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-32808
Vulnerability from cvelistv5
Published
2021-08-12 16:25
Modified
2024-08-03 23:33
Summary
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.
Impacted products
Vendor Product Version
ckeditor ckeditor4 Version: >= 4.13.0, < 4.16.2
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T23:33:55.865Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2",
               },
               {
                  name: "FEDORA-2021-51457da891",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
               },
               {
                  name: "FEDORA-2021-72176a63a8",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
               },
               {
                  name: "FEDORA-2021-87578dca12",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujan2022.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "ckeditor4",
               vendor: "ckeditor",
               versions: [
                  {
                     status: "affected",
                     version: ">= 4.13.0, < 4.16.2",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.6,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-79",
                     description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-02-07T14:42:14",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2",
            },
            {
               name: "FEDORA-2021-51457da891",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
            },
            {
               name: "FEDORA-2021-72176a63a8",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
            },
            {
               name: "FEDORA-2021-87578dca12",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpujan2022.html",
            },
         ],
         source: {
            advisory: "GHSA-6226-h7ff-ch6c",
            discovery: "UNKNOWN",
         },
         title: "Cross-site scripting in ckeditor via abuse of undo functionality",
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "security-advisories@github.com",
               ID: "CVE-2021-32808",
               STATE: "PUBLIC",
               TITLE: "Cross-site scripting in ckeditor via abuse of undo functionality",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "ckeditor4",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: ">= 4.13.0, < 4.16.2",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "ckeditor",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.6,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c",
                     refsource: "CONFIRM",
                     url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c",
                  },
                  {
                     name: "https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2",
                     refsource: "MISC",
                     url: "https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2",
                  },
                  {
                     name: "FEDORA-2021-51457da891",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
                  },
                  {
                     name: "FEDORA-2021-72176a63a8",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
                  },
                  {
                     name: "FEDORA-2021-87578dca12",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpujan2022.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpujan2022.html",
                  },
               ],
            },
            source: {
               advisory: "GHSA-6226-h7ff-ch6c",
               discovery: "UNKNOWN",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2021-32808",
      datePublished: "2021-08-12T16:25:10",
      dateReserved: "2021-05-12T00:00:00",
      dateUpdated: "2024-08-03T23:33:55.865Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-9281
Vulnerability from cvelistv5
Published
2020-03-07 00:02
Modified
2024-08-04 10:26
Severity ?
Summary
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T10:26:15.821Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "FEDORA-2020-8d5de93970",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/",
               },
               {
                  name: "FEDORA-2020-261449d821",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/",
               },
               {
                  name: "FEDORA-2020-a832c215bf",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2020.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujan2021.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuApr2021.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujan2022.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted \"protected\" comment (with the cke_protected syntax).",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-02-07T14:41:10",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "FEDORA-2020-8d5de93970",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/",
            },
            {
               name: "FEDORA-2020-261449d821",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/",
            },
            {
               name: "FEDORA-2020-a832c215bf",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuoct2020.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/ckeditor/ckeditor4",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpujan2021.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuApr2021.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpujan2022.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-9281",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted \"protected\" comment (with the cke_protected syntax).",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "FEDORA-2020-8d5de93970",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/",
                  },
                  {
                     name: "FEDORA-2020-261449d821",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/",
                  },
                  {
                     name: "FEDORA-2020-a832c215bf",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuoct2020.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuoct2020.html",
                  },
                  {
                     name: "https://github.com/ckeditor/ckeditor4",
                     refsource: "MISC",
                     url: "https://github.com/ckeditor/ckeditor4",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpujan2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpujan2021.html",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuApr2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpujan2022.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpujan2022.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-9281",
      datePublished: "2020-03-07T00:02:27",
      dateReserved: "2020-02-19T00:00:00",
      dateUpdated: "2024-08-04T10:26:15.821Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-26271
Vulnerability from cvelistv5
Published
2021-01-26 20:39
Modified
2024-08-03 20:19
Severity ?
Summary
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T20:19:20.393Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com//security-alerts/cpujul2021.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-10-20T10:41:40",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com//security-alerts/cpujul2021.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2021-26271",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416",
                     refsource: "MISC",
                     url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416",
                  },
                  {
                     name: "https://www.oracle.com//security-alerts/cpujul2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com//security-alerts/cpujul2021.html",
                  },
                  {
                     name: "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first",
                     refsource: "CONFIRM",
                     url: "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2021-26271",
      datePublished: "2021-01-26T20:39:46",
      dateReserved: "2021-01-26T00:00:00",
      dateUpdated: "2024-08-03T20:19:20.393Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2012-2067
Vulnerability from cvelistv5
Published
2012-09-05 00:00
Modified
2024-08-06 19:17
Severity ?
Summary
Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter. NOTE: some of these details are obtained from third party information.
References
http://drupal.org/node/1482442x_refsource_CONFIRM
http://www.osvdb.org/80080vdb-entry, x_refsource_OSVDB
https://exchange.xforce.ibmcloud.com/vulnerabilities/74037vdb-entry, x_refsource_XF
http://drupal.org/node/1482480x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2012/04/07/1mailing-list, x_refsource_MLIST
http://drupal.org/node/1482466x_refsource_CONFIRM
http://secunia.com/advisories/48435third-party-advisory, x_refsource_SECUNIA
http://drupal.org/node/1482528x_refsource_MISC
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-06T19:17:27.699Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://drupal.org/node/1482442",
               },
               {
                  name: "80080",
                  tags: [
                     "vdb-entry",
                     "x_refsource_OSVDB",
                     "x_transferred",
                  ],
                  url: "http://www.osvdb.org/80080",
               },
               {
                  name: "ckeditor-drupal-code-execution(74037)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/74037",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://drupal.org/node/1482480",
               },
               {
                  name: "[oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2012/04/07/1",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://drupal.org/node/1482466",
               },
               {
                  name: "48435",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/48435",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://drupal.org/node/1482528",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2012-03-15T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter.  NOTE: some of these details are obtained from third party information.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-08-28T12:57:01",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://drupal.org/node/1482442",
            },
            {
               name: "80080",
               tags: [
                  "vdb-entry",
                  "x_refsource_OSVDB",
               ],
               url: "http://www.osvdb.org/80080",
            },
            {
               name: "ckeditor-drupal-code-execution(74037)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/74037",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://drupal.org/node/1482480",
            },
            {
               name: "[oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2012/04/07/1",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://drupal.org/node/1482466",
            },
            {
               name: "48435",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/48435",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://drupal.org/node/1482528",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "secalert@redhat.com",
               ID: "CVE-2012-2067",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter.  NOTE: some of these details are obtained from third party information.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "http://drupal.org/node/1482442",
                     refsource: "CONFIRM",
                     url: "http://drupal.org/node/1482442",
                  },
                  {
                     name: "80080",
                     refsource: "OSVDB",
                     url: "http://www.osvdb.org/80080",
                  },
                  {
                     name: "ckeditor-drupal-code-execution(74037)",
                     refsource: "XF",
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/74037",
                  },
                  {
                     name: "http://drupal.org/node/1482480",
                     refsource: "CONFIRM",
                     url: "http://drupal.org/node/1482480",
                  },
                  {
                     name: "[oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2012/04/07/1",
                  },
                  {
                     name: "http://drupal.org/node/1482466",
                     refsource: "CONFIRM",
                     url: "http://drupal.org/node/1482466",
                  },
                  {
                     name: "48435",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/48435",
                  },
                  {
                     name: "http://drupal.org/node/1482528",
                     refsource: "MISC",
                     url: "http://drupal.org/node/1482528",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2012-2067",
      datePublished: "2012-09-05T00:00:00",
      dateReserved: "2012-04-04T00:00:00",
      dateUpdated: "2024-08-06T19:17:27.699Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2018-17960
Vulnerability from cvelistv5
Published
2018-11-14 20:00
Modified
2024-08-05 11:01
Severity ?
Summary
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T11:01:14.714Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/cke4/release/CKEditor-4.11.0",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
               },
               {
                  name: "109205",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/109205",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2018-11-14T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-07-23T22:31:37",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://ckeditor.com/cke4/release/CKEditor-4.11.0",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
            },
            {
               name: "109205",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/109205",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2018-17960",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/",
                     refsource: "MISC",
                     url: "https://ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/",
                  },
                  {
                     name: "https://ckeditor.com/cke4/release/CKEditor-4.11.0",
                     refsource: "MISC",
                     url: "https://ckeditor.com/cke4/release/CKEditor-4.11.0",
                  },
                  {
                     name: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
                  },
                  {
                     name: "109205",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/109205",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2018-17960",
      datePublished: "2018-11-14T20:00:00",
      dateReserved: "2018-10-03T00:00:00",
      dateUpdated: "2024-08-05T11:01:14.714Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2024-24815
Vulnerability from cvelistv5
Published
2024-02-07 15:14
Modified
2025-02-13 17:40
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.
Impacted products
Vendor Product Version
ckeditor ckeditor4 Version: < 4.24.0-lts
Show details on NVD website


{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-24815",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-02-08T16:41:58.530703Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-07-05T17:21:42.034Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-01T23:28:12.743Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm",
               },
               {
                  name: "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb",
               },
               {
                  name: "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata",
               },
               {
                  name: "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html",
               },
               {
                  name: "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.drupal.org/sa-contrib-2024-009",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "ckeditor4",
               vendor: "ckeditor",
               versions: [
                  {
                     status: "affected",
                     version: "< 4.24.0-lts",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 6.1,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-79",
                     description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-03-06T10:05:59.496Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm",
            },
            {
               name: "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb",
            },
            {
               name: "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.html#property-S-cdata",
            },
            {
               name: "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html",
            },
            {
               name: "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.html",
            },
            {
               url: "https://www.drupal.org/sa-contrib-2024-009",
            },
         ],
         source: {
            advisory: "GHSA-fq6h-4g8v-qqvm",
            discovery: "UNKNOWN",
         },
         title: "CKEditor4 Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2024-24815",
      datePublished: "2024-02-07T15:14:32.361Z",
      dateReserved: "2024-01-31T16:28:17.942Z",
      dateUpdated: "2025-02-13T17:40:30.582Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2023-28439
Vulnerability from cvelistv5
Published
2023-03-22 20:55
Modified
2025-02-13 16:48
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.
Impacted products
Vendor Product Version
ckeditor ckeditor4 Version: < 4.21.0
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T12:38:25.306Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g",
               },
               {
                  name: "https://ckeditor.com/cke4/addon/embed",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/cke4/addon/embed",
               },
               {
                  name: "https://ckeditor.com/cke4/addon/iframe",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/cke4/addon/iframe",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWKG2VCPJNETVCDTXU4X6FQ2PO6XCNGN/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCYKD3JZWWA3ESOZG4PHJJEXT4EYIUIQ/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4ODGOW6PYVOXHQSMWJBOCE6DXWAI33W/",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-28439",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-10-15T17:09:11.109854Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-10-15T17:12:27.344Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "ckeditor4",
               vendor: "ckeditor",
               versions: [
                  {
                     status: "affected",
                     version: "< 4.21.0",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism.\n\nA fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.7,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-79",
                     description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-11-03T20:06:59.123Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g",
            },
            {
               name: "https://ckeditor.com/cke4/addon/embed",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://ckeditor.com/cke4/addon/embed",
            },
            {
               name: "https://ckeditor.com/cke4/addon/iframe",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://ckeditor.com/cke4/addon/iframe",
            },
            {
               url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWKG2VCPJNETVCDTXU4X6FQ2PO6XCNGN/",
            },
            {
               url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCYKD3JZWWA3ESOZG4PHJJEXT4EYIUIQ/",
            },
            {
               url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4ODGOW6PYVOXHQSMWJBOCE6DXWAI33W/",
            },
         ],
         source: {
            advisory: "GHSA-vh5c-xwqv-cv9g",
            discovery: "UNKNOWN",
         },
         title: "ckeditor4 plugins vulnerable to cross-site scripting caused by the editor instance destroying process",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2023-28439",
      datePublished: "2023-03-22T20:55:00.208Z",
      dateReserved: "2023-03-15T15:59:10.054Z",
      dateUpdated: "2025-02-13T16:48:42.069Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-32809
Vulnerability from cvelistv5
Published
2021-08-12 17:10
Modified
2024-08-03 23:33
Summary
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
Impacted products
Vendor Product Version
ckeditor ckeditor4 Version: >= 4.5.2, < 4.16.2
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T23:33:56.090Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg",
               },
               {
                  name: "FEDORA-2021-51457da891",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
               },
               {
                  name: "FEDORA-2021-72176a63a8",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
               },
               {
                  name: "FEDORA-2021-87578dca12",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujan2022.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "ckeditor4",
               vendor: "ckeditor",
               versions: [
                  {
                     status: "affected",
                     version: ">= 4.5.2, < 4.16.2",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.6,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-94",
                     description: "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-02-07T14:42:15",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg",
            },
            {
               name: "FEDORA-2021-51457da891",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
            },
            {
               name: "FEDORA-2021-72176a63a8",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
            },
            {
               name: "FEDORA-2021-87578dca12",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpujan2022.html",
            },
         ],
         source: {
            advisory: "GHSA-7889-rm5j-hpgg",
            discovery: "UNKNOWN",
         },
         title: "Arbitrary HTML injection vulnerability in ckeditor",
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "security-advisories@github.com",
               ID: "CVE-2021-32809",
               STATE: "PUBLIC",
               TITLE: "Arbitrary HTML injection vulnerability in ckeditor",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "ckeditor4",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: ">= 4.5.2, < 4.16.2",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "ckeditor",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 4.6,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-94: Improper Control of Generation of Code ('Code Injection')",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg",
                     refsource: "CONFIRM",
                     url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg",
                  },
                  {
                     name: "FEDORA-2021-51457da891",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/",
                  },
                  {
                     name: "FEDORA-2021-72176a63a8",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/",
                  },
                  {
                     name: "FEDORA-2021-87578dca12",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpujan2022.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpujan2022.html",
                  },
               ],
            },
            source: {
               advisory: "GHSA-7889-rm5j-hpgg",
               discovery: "UNKNOWN",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2021-32809",
      datePublished: "2021-08-12T17:10:09",
      dateReserved: "2021-05-12T00:00:00",
      dateUpdated: "2024-08-03T23:33:56.090Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2012-2066
Vulnerability from cvelistv5
Published
2012-09-05 00:00
Modified
2024-08-06 19:17
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
http://drupal.org/node/1482442x_refsource_CONFIRM
http://drupal.org/node/1482480x_refsource_CONFIRM
http://www.osvdb.org/80079vdb-entry, x_refsource_OSVDB
http://www.openwall.com/lists/oss-security/2012/04/07/1mailing-list, x_refsource_MLIST
http://drupal.org/node/1482466x_refsource_CONFIRM
https://exchange.xforce.ibmcloud.com/vulnerabilities/74036vdb-entry, x_refsource_XF
http://secunia.com/advisories/48435third-party-advisory, x_refsource_SECUNIA
http://drupal.org/node/1482528x_refsource_MISC
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-06T19:17:27.870Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://drupal.org/node/1482442",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://drupal.org/node/1482480",
               },
               {
                  name: "80079",
                  tags: [
                     "vdb-entry",
                     "x_refsource_OSVDB",
                     "x_transferred",
                  ],
                  url: "http://www.osvdb.org/80079",
               },
               {
                  name: "[oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2012/04/07/1",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://drupal.org/node/1482466",
               },
               {
                  name: "ckeditor-drupal-unspec-xss(74036)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/74036",
               },
               {
                  name: "48435",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/48435",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://drupal.org/node/1482528",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2012-03-15T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web script or HTML via unspecified vectors.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-08-28T12:57:01",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://drupal.org/node/1482442",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://drupal.org/node/1482480",
            },
            {
               name: "80079",
               tags: [
                  "vdb-entry",
                  "x_refsource_OSVDB",
               ],
               url: "http://www.osvdb.org/80079",
            },
            {
               name: "[oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2012/04/07/1",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://drupal.org/node/1482466",
            },
            {
               name: "ckeditor-drupal-unspec-xss(74036)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/74036",
            },
            {
               name: "48435",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/48435",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://drupal.org/node/1482528",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "secalert@redhat.com",
               ID: "CVE-2012-2066",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web script or HTML via unspecified vectors.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "http://drupal.org/node/1482442",
                     refsource: "CONFIRM",
                     url: "http://drupal.org/node/1482442",
                  },
                  {
                     name: "http://drupal.org/node/1482480",
                     refsource: "CONFIRM",
                     url: "http://drupal.org/node/1482480",
                  },
                  {
                     name: "80079",
                     refsource: "OSVDB",
                     url: "http://www.osvdb.org/80079",
                  },
                  {
                     name: "[oss-security] 20120406 CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2012/04/07/1",
                  },
                  {
                     name: "http://drupal.org/node/1482466",
                     refsource: "CONFIRM",
                     url: "http://drupal.org/node/1482466",
                  },
                  {
                     name: "ckeditor-drupal-unspec-xss(74036)",
                     refsource: "XF",
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/74036",
                  },
                  {
                     name: "48435",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/48435",
                  },
                  {
                     name: "http://drupal.org/node/1482528",
                     refsource: "MISC",
                     url: "http://drupal.org/node/1482528",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2012-2066",
      datePublished: "2012-09-05T00:00:00",
      dateReserved: "2012-04-04T00:00:00",
      dateUpdated: "2024-08-06T19:17:27.870Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-41165
Vulnerability from cvelistv5
Published
2021-11-17 19:15
Modified
2024-08-04 02:59
Summary
CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
Impacted products
Vendor Product Version
ckeditor ckeditor4 Version: < 4.17.0
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T02:59:31.758Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujan2022.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.drupal.org/sa-core-2021-011",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujul2022.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "ckeditor4",
               vendor: "ckeditor",
               versions: [
                  {
                     status: "affected",
                     version: "< 4.17.0",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 8.2,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-79",
                     description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-07-25T16:37:57",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpujan2022.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.drupal.org/sa-core-2021-011",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpujul2022.html",
            },
         ],
         source: {
            advisory: "GHSA-7h26-63m7-qhf2",
            discovery: "UNKNOWN",
         },
         title: "HTML comments vulnerability allowing to execute JavaScript code",
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "security-advisories@github.com",
               ID: "CVE-2021-41165",
               STATE: "PUBLIC",
               TITLE: "HTML comments vulnerability allowing to execute JavaScript code",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "ckeditor4",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "< 4.17.0",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "ckeditor",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 8.2,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417",
                     refsource: "MISC",
                     url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417",
                  },
                  {
                     name: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2",
                     refsource: "CONFIRM",
                     url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpujan2022.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpujan2022.html",
                  },
                  {
                     name: "https://www.drupal.org/sa-core-2021-011",
                     refsource: "CONFIRM",
                     url: "https://www.drupal.org/sa-core-2021-011",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuapr2022.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpujul2022.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpujul2022.html",
                  },
               ],
            },
            source: {
               advisory: "GHSA-7h26-63m7-qhf2",
               discovery: "UNKNOWN",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2021-41165",
      datePublished: "2021-11-17T19:15:11",
      dateReserved: "2021-09-15T00:00:00",
      dateUpdated: "2024-08-04T02:59:31.758Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-24729
Vulnerability from cvelistv5
Published
2022-03-16 00:00
Modified
2024-08-03 04:20
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.
Impacted products
Vendor Product Version
ckeditor ckeditor4 Version: < 4.18.0
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T04:20:49.845Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/cke4/release/CKEditor-4.18.0",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujul2022.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.drupal.org/sa-core-2022-005",
               },
               {
                  name: "FEDORA-2022-b61dfd219b",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/",
               },
               {
                  name: "FEDORA-2022-4c634ee466",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "ckeditor4",
               vendor: "ckeditor",
               versions: [
                  {
                     status: "affected",
                     version: "< 4.18.0",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 6.5,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-400",
                     description: "CWE-400: Uncontrolled Resource Consumption",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-11-14T00:00:00",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               url: "https://ckeditor.com/cke4/release/CKEditor-4.18.0",
            },
            {
               url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpujul2022.html",
            },
            {
               url: "https://www.drupal.org/sa-core-2022-005",
            },
            {
               name: "FEDORA-2022-b61dfd219b",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/",
            },
            {
               name: "FEDORA-2022-4c634ee466",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/",
            },
         ],
         source: {
            advisory: "GHSA-f6rf-9m92-x2hh",
            discovery: "UNKNOWN",
         },
         title: "Regular expression Denial of Service in dialog plugin",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2022-24729",
      datePublished: "2022-03-16T00:00:00",
      dateReserved: "2022-02-10T00:00:00",
      dateUpdated: "2024-08-03T04:20:49.845Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2023-31541
Vulnerability from cvelistv5
Published
2023-06-13 00:00
Modified
2025-01-03 19:28
Severity ?
Summary
A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T14:53:31.029Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://redmine.com",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://redmineckeditor.com",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/DreamD2v/CVE-2023-31541/blob/main/CVE-2023-31541.md",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "NETWORK",
                     availabilityImpact: "HIGH",
                     baseScore: 9.8,
                     baseSeverity: "CRITICAL",
                     confidentialityImpact: "HIGH",
                     integrityImpact: "HIGH",
                     privilegesRequired: "NONE",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2023-31541",
                        options: [
                           {
                              Exploitation: "poc",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-01-03T19:28:03.588412Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            problemTypes: [
               {
                  descriptions: [
                     {
                        cweId: "CWE-434",
                        description: "CWE-434 Unrestricted Upload of File with Dangerous Type",
                        lang: "en",
                        type: "CWE",
                     },
                  ],
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-01-03T19:28:07.534Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-06-13T00:00:00",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               url: "http://redmine.com",
            },
            {
               url: "http://redmineckeditor.com",
            },
            {
               url: "https://github.com/DreamD2v/CVE-2023-31541/blob/main/CVE-2023-31541.md",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2023-31541",
      datePublished: "2023-06-13T00:00:00",
      dateReserved: "2023-04-29T00:00:00",
      dateUpdated: "2025-01-03T19:28:07.534Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2024-24816
Vulnerability from cvelistv5
Published
2024-02-07 16:58
Modified
2024-08-01 23:28
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.
Impacted products
Vendor Product Version
ckeditor ckeditor4 Version: < 4.24.0-lts
Show details on NVD website


{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-24816",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-02-21T20:41:03.498820Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-06-04T17:43:36.184Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-01T23:28:12.611Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76",
               },
               {
                  name: "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb",
               },
               {
                  name: "https://ckeditor.com/cke4/addon/preview",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/cke4/addon/preview",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "ckeditor4",
               vendor: "ckeditor",
               versions: [
                  {
                     status: "affected",
                     version: "< 4.24.0-lts",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 6.1,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-79",
                     description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-02-07T16:58:24.564Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76",
            },
            {
               name: "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb",
            },
            {
               name: "https://ckeditor.com/cke4/addon/preview",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://ckeditor.com/cke4/addon/preview",
            },
         ],
         source: {
            advisory: "GHSA-mw2c-vx6j-mg76",
            discovery: "UNKNOWN",
         },
         title: "Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2024-24816",
      datePublished: "2024-02-07T16:58:24.564Z",
      dateReserved: "2024-01-31T16:28:17.942Z",
      dateUpdated: "2024-08-01T23:28:12.611Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2024-43407
Vulnerability from cvelistv5
Published
2024-08-21 15:03
Modified
2024-08-21 19:54
Summary
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts.
Impacted products
Vendor Product Version
ckeditor ckeditor4 Version: < 4.25.0-lts
Show details on NVD website


{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-43407",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-08-21T19:12:17.228243Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-08-21T19:54:12.846Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "ckeditor4",
               vendor: "ckeditor",
               versions: [
                  {
                     status: "affected",
                     version: "< 4.25.0-lts",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 6.1,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-79",
                     description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-08-21T15:03:41.629Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv",
            },
            {
               name: "https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94",
            },
            {
               name: "https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa",
            },
         ],
         source: {
            advisory: "GHSA-7r32-vfj5-c2jv",
            discovery: "UNKNOWN",
         },
         title: "Code Snippet GeSHi plugin has reflected cross-site scripting (XSS) vulnerability",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2024-43407",
      datePublished: "2024-08-21T15:03:41.629Z",
      dateReserved: "2024-08-12T18:02:04.966Z",
      dateUpdated: "2024-08-21T19:54:12.846Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2011-4972
Vulnerability from cvelistv5
Published
2019-11-13 20:51
Modified
2024-08-07 00:23
Severity ?
Summary
hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request.
Impacted products
Vendor Product Version
CKSource CKEditor Drupal module Version: 7.x-1.4
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T00:23:39.372Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://drupal.org/node/1337006",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2013/06/04/5",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2013/06/04/7",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "CKEditor Drupal module",
               vendor: "CKSource",
               versions: [
                  {
                     status: "affected",
                     version: "7.x-1.4",
                  },
               ],
            },
         ],
         datePublic: "2013-06-04T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "Insecure Permissions",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-11-13T20:51:23",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://drupal.org/node/1337006",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://www.openwall.com/lists/oss-security/2013/06/04/5",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://www.openwall.com/lists/oss-security/2013/06/04/7",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "secalert@redhat.com",
               ID: "CVE-2011-4972",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "CKEditor Drupal module",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "7.x-1.4",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "CKSource",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackers to read private files via a direct request.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "Insecure Permissions",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://drupal.org/node/1337006",
                     refsource: "MISC",
                     url: "https://drupal.org/node/1337006",
                  },
                  {
                     name: "http://www.openwall.com/lists/oss-security/2013/06/04/5",
                     refsource: "MISC",
                     url: "http://www.openwall.com/lists/oss-security/2013/06/04/5",
                  },
                  {
                     name: "http://www.openwall.com/lists/oss-security/2013/06/04/7",
                     refsource: "MISC",
                     url: "http://www.openwall.com/lists/oss-security/2013/06/04/7",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2011-4972",
      datePublished: "2019-11-13T20:51:23",
      dateReserved: "2011-12-23T00:00:00",
      dateUpdated: "2024-08-07T00:23:39.372Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-26272
Vulnerability from cvelistv5
Published
2021-01-26 20:39
Modified
2024-08-03 20:19
Severity ?
Summary
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T20:19:20.393Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com//security-alerts/cpujul2021.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujan2022.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-02-07T14:41:52",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com//security-alerts/cpujul2021.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpujan2022.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2021-26272",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416",
                     refsource: "MISC",
                     url: "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416",
                  },
                  {
                     name: "https://www.oracle.com//security-alerts/cpujul2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com//security-alerts/cpujul2021.html",
                  },
                  {
                     name: "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first",
                     refsource: "MISC",
                     url: "https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpujan2022.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpujan2022.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2021-26272",
      datePublished: "2021-01-26T20:39:56",
      dateReserved: "2021-01-26T00:00:00",
      dateUpdated: "2024-08-03T20:19:20.393Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}