Lucene search

GitHub Advisory DatabaseGHSA-RGX6-RJJ4-C388

HistoryJun 21, 2021 - 5:16 p.m.

ckeditor4 vulnerable to cross-site scripting

2021-06-2117:16:42

CWE-79

GitHub Advisory Database

github.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.005 Low

EPSS

Percentile

77.4%

JSON

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.

Affected configurations

Vulners

Node

drupaldrupalRange<9.1.9

drupaldrupalRange<9.0.14

drupaldrupalRange<8.9.16

drupaldrupalRange<7.80

drupal_coredrupal_coreRange<9.1.9

drupal_coredrupal_coreRange<9.0.14

drupal_coredrupal_coreRange<8.9.16

drupal_coredrupal_coreRange<7.80

ckeditor4Range<4.16.1

CPENameOperatorVersion
drupal/drupallt9.1.9
drupal/drupallt9.0.14
drupal/drupallt8.9.16
drupal/drupallt7.80
drupal/corelt9.1.9
drupal/corelt9.0.14
drupal/corelt8.9.16
drupal/corelt7.80
ckeditor4lt4.16.1

Name	Operator	Version
drupal/drupal	lt	9.1.9
drupal/drupal	lt	9.0.14
drupal/drupal	lt	8.9.16
drupal/drupal	lt	7.80
drupal/core	lt	9.1.9
drupal/core	lt	9.0.14
drupal/core	lt	8.9.16
drupal/core	lt	7.80
ckeditor4	lt	4.16.1