CVE-2021-41164

Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML

CVSS 8.2 HIGHEPSS 1.3%CWE-79

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.2EPSS 1.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

17 nov 2021Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

Productos afectados

ckeditor · ckeditor4

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417 https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/https://www.drupal.org/sa-core-2021-011 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpujul2022.html