PT-2021-6524 · Ckeditor+3 · Clipboard+10
Published
2021-08-12
·
Updated
2026-05-22
·
CVE-2021-32809
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
CKEditor versions 4.5.2 through 4.16.1
CKEditor 4 plugins with clipboard plugin dependency versions 4.5.2 and later, including:
- clipboard
- pastetext
- pastetools
- widget
- uploadwidget
- autolink
- tableselection
Description
The issue is related to incorrect code generation management in the CKEditor Clipboard plugin, allowing a remote attacker to impact data integrity by injecting arbitrary HTML into the editor using malformed HTML in the paste functionality.
Recommendations
For CKEditor versions 4.5.2 through 4.16.1, update to version 4.16.2 to resolve the issue.
For CKEditor 4 plugins with clipboard plugin dependency, update the plugins to versions compatible with CKEditor 4.16.2.
As a temporary workaround, consider disabling the paste functionality using the clipboard plugin until a patch is available.
Restrict access to the clipboard plugin to minimize the risk of exploitation.
Fix
Code Injection
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Ckeditor
Debian
Linuxmint
Ubuntu
Autolink
Clipboard
Pastetext
Pastetools
Tableselection
Uploadwidget
Widget