forked from rubysec/ruby-advisory-db
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCVE-2021-33829.yml
More file actions
29 lines (29 loc) · 1.57 KB
/
CVE-2021-33829.yml
File metadata and controls
29 lines (29 loc) · 1.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
---
gem: ckeditor
cve: 2021-33829
ghsa: rgx6-rjj4-c388
url: https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
title: ckeditor4 vulnerable to cross-site scripting
date: 2021-06-21
description: |
A cross-site scripting (XSS) vulnerability in the HTML Data Processor
in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject
executable JavaScript code through a crafted comment because `--!>` is mishandled.
cvss_v3: 6.1
unaffected_versions:
- "< 5.1.1"
patched_versions:
- ">= 5.1.2"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2021-33829
- https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
- https://www.npmjs.com/package/ckeditor4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
- https://www.drupal.org/sa-core-2021-003
- https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2021-33829.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2021-33829.yaml
- https://github.com/advisories/GHSA-rgx6-rjj4-c388