Vulnerability Details : CVE-2021-37695
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-37695
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:documaker:12.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
- Oracle » Financial Services Analytical Applications InfrastructureVersions from including (>=) 8.0.7 and up to, including, (<=) 8.1.1cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*
- Oracle » Financial Services Model Management And GovernanceVersions from including (>=) 8.0.8.0.0 and up to, including, (<=) 8.1.0.0.0cpe:2.3:a:oracle:financial_services_model_management_and_governance:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-37695
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-37695
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST | |
7.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N |
2.1
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2021-37695
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)
References for CVE-2021-37695
-
https://www.oracle.com/security-alerts/cpujan2022.html
Oracle Critical Patch Update Advisory - January 2022Patch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
[SECURITY] [DLA 2813-1] ckeditor security updateMailing List;Third Party Advisory
-
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
Fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML · Advisory · ckeditor/ckeditor4 · GitHubThird Party Advisory
-
https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
Merge pull request #49 from cksource/sec/48 · ckeditor/ckeditor4@de3c001 · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
[SECURITY] Fedora 34 Update: ckeditor-4.16.2-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
[SECURITY] Fedora 33 Update: ckeditor-4.16.2-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
[SECURITY] Fedora 35 Update: ckeditor-4.16.2-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to