CVE-2021-37695

HIGH

Ckeditor < 4.16.2 - XSS

Title source: rule
STIX 2.1

Description

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

References (8)

Core 8
Core References
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html

Scores

CVSS v3 7.3
EPSS 0.0074
EPSS Percentile 73.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Details

CWE
CWE-79
Status published
Products (19)
ckeditor/ckeditor < 4.16.2
debian/debian_linux 9.0
fedoraproject/fedora 33
fedoraproject/fedora 34
fedoraproject/fedora 35
npm/ckeditor4 0 - 4.16.2npm
oracle/application_express < 21.1.4
oracle/banking_party_management 2.7.0
oracle/commerce_guided_search 11.3.2
oracle/commerce_merchandising 11.3.2
... and 9 more
Published Aug 13, 2021
Tracked Since Feb 18, 2026