CVE-2021-33829

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions CKEditor 4 versions 4.14.0 through 4.16.x

Description A cross-site scripting (XSS) vulnerability in the HTML Data Processor allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. This issue may allow a remote attacker to impact data integrity.

Recommendations For CKEditor 4 versions 4.14.0 through 4.16.x, update to version 4.16.1 or later to resolve the issue. As a temporary workaround, consider disabling the HTML Data Processor feature until a patch is available. Restrict access to the HTML Data Processor module to minimize the risk of exploitation. Avoid using crafted comments in the affected module until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2021-04887

BIT-DRUPAL-2021-33829

CVE-2021-33829

DLA-2813-1

DRUPAL-CORE-2021-003

GHSA-RGX6-RJJ4-C388

USN-5340-1

USN-5340-2

Affected Products

Ckeditor 4

Debian

Linuxmint

Ubuntu

CVE-2021-33829

Weakness Enumeration

Related Identifiers

Affected Products

References · 36