CVE-2021-33829
Name
CVE-2021-33829
Description
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
NVD Severity
medium
Other trackers
CVE
,
NVD
,
CERT
,
CVE Details
,
CIRCL
,
Arch Linux
,
Debian
,
Red Hat
,
Ubuntu
,
Gentoo
,
SUSE (Bugzilla)
,
SUSE (CVE)
,
Mageia
Mailing lists
oss-security
,
full-disclosure
,
bugtraq
Exploits
Exploit DB
,
Metasploit
Forges
GitHub (
code
,
issues
), Aports (
code
,
issues
)
References
Type
URI
MISC
https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
Patch
https://www.drupal.org/sa-core-2021-003
Mailing List
https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
Match rules
CPE URI
Source package
Min version
Max version
cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*
ckeditor
>= 4.14.0
< 4.16.1
Vulnerable and fixed packages
Source package
Branch
Version
Maintainer
Status
