CVE-2021-32808

HIGH

CKEditor 4.13.0-4.16.1 - Stored Cross-Site Scripting via Clipboard Widget Undo Feature

Title source: llm
STIX 2.1

Description

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.

References (7)

Core 7
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html

Scores

CVSS v3 7.6
EPSS 0.0137
EPSS Percentile 80.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Details

CWE
CWE-79
Status published
Products (21)
ckeditor/ckeditor 4.13.0 - 4.16.2
fedoraproject/fedora 33
fedoraproject/fedora 34
fedoraproject/fedora 35
npm/ckeditor4 4.13.0 - 4.16.2npm
oracle/application_express < 21.1.4
oracle/banking_party_management 2.7.0
oracle/commerce_guided_search 11.3.2
oracle/commerce_merchandising 11.3.2
oracle/documaker 12.6.3
... and 11 more
Published Aug 12, 2021
Tracked Since Feb 18, 2026