CVE-2021-32809
12.08.2021, 17:15
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
| Vendor | Product | Version |
|---|---|---|
| ckeditor | ckeditor | 4.5.2 ≤ 𝑥 < 4.16.2 |
| oracle | application_express | 𝑥 < 21.1.4 |
| oracle | banking_party_management | 2.7.0 |
| oracle | commerce_guided_search | 11.3.2 |
| oracle | commerce_merchandising | 11.3.2 |
| oracle | documaker | 12.6.3 |
| oracle | documaker | 12.6.4 |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.7 ≤ 𝑥 ≤ 8.1.1 |
| oracle | jd_edwards_enterpriseone_tools | 𝑥 < 9.2.6.0 |
| oracle | peoplesoft_enterprise_peopletools | 8.57 |
| oracle | peoplesoft_enterprise_peopletools | 8.58 |
| oracle | peoplesoft_enterprise_peopletools | 8.59 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
References