Description
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
References (8)
Core 8
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
Patch, Third Party Advisory
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417
Third Party Advisory
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj
Third Party Advisory
https://www.drupal.org/sa-core-2021-011
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Not Applicable
https://www.oracle.com/security-alerts/cpujul2022.html
Scores
CVSS v3
8.2
EPSS
0.0008
EPSS Percentile
22.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
Details
CWE
CWE-79
Status
published
Products (22)
ckeditor/ckeditor
4.0 - 4.17.0
drupal/drupal
8.9.0 - 8.9.20
fedoraproject/fedora
36
fedoraproject/fedora
37
npm/ckeditor4
0 - 4.17.0npm
oracle/agile_plm
9.3.6
oracle/application_express
< 22.1
oracle/banking_apis
19.1
oracle/banking_apis
19.2
oracle/banking_apis
20.1
... and 12 more
Published
Nov 17, 2021
Tracked Since
Feb 18, 2026