CVE-2021-32808

12.08.2021, 17:15

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.6 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
GitHub_M	CNA	7.6 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Vendor	Product	Version
ckeditor	ckeditor	4.13.0 ≤ 𝑥 < 4.16.2
oracle	application_express	𝑥 < 21.1.4
oracle	banking_party_management	2.7.0
oracle	commerce_guided_search	11.3.2
oracle	commerce_merchandising	11.3.2
oracle	documaker	12.6.3
oracle	documaker	12.6.4
oracle	financial_services_analytical_applications_infrastructure	8.0.7 ≤ 𝑥 ≤ 8.1.1
oracle	financial_services_model_management_and_governance	8.0.8.0.0
oracle	financial_services_model_management_and_governance	8.1.0.0.0
oracle	jd_edwards_enterpriseone_tools	𝑥 ≤ 9.2.6.0
oracle	peoplesoft_enterprise_peopletools	8.57
oracle	peoplesoft_enterprise_peopletools	8.58
oracle	peoplesoft_enterprise_peopletools	8.59
oracle	siebel_ui_framework	𝑥 ≤ 21.9
oracle	webcenter_sites	12.2.1.3.0
oracle	webcenter_sites	12.2.1.4.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

ckeditor

bullseye	no-dsa
buster	not-affected
stretch	not-affected
bookworm	4.19.1+dfsg-1 fixed
sid	4.22.1+dfsg1-2 fixed
trixie	4.22.1+dfsg1-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

ckeditor

jammy	not-affected
impish	Fixed 4.16.0+dfsg-2ubuntu0.1 released
hirsute	ignored
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	dne

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2

https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpuoct2021.html

https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2

https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpuoct2021.html