CVE-2021-32809

MEDIUM

CKEditor 4.5.2-4.16.1 - HTML Injection via Malformed Paste Content

Title source: llm
STIX 2.1

Description

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

References (6)

Core 6
Core References
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html

Scores

CVSS v3 4.6
EPSS 0.0024
EPSS Percentile 46.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Details

CWE
CWE-94 CWE-79
Status published
Products (16)
ckeditor/ckeditor 4.5.2 - 4.16.2
fedoraproject/fedora 33
fedoraproject/fedora 34
fedoraproject/fedora 35
npm/ckeditor4 4.5.2 - 4.16.2npm
oracle/application_express < 21.1.4
oracle/banking_party_management 2.7.0
oracle/commerce_guided_search 11.3.2
oracle/commerce_merchandising 11.3.2
oracle/documaker 12.6.3
... and 6 more
Published Aug 12, 2021
Tracked Since Feb 18, 2026