Vulnerability Details CVE-2021-37695
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 65.7%
CVSS Severity
CVSS v3 Score 7.3
CVSS v2 Score 3.5
References
- https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
- https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
- https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Products affected by CVE-2021-37695
-
cpe:2.3:a:ckeditor:ckeditor:1.2.3
-
cpe:2.3:a:ckeditor:ckeditor:4.0
-
cpe:2.3:a:ckeditor:ckeditor:4.0.1
-
cpe:2.3:a:ckeditor:ckeditor:4.0.1.1
-
cpe:2.3:a:ckeditor:ckeditor:4.0.2
-
cpe:2.3:a:ckeditor:ckeditor:4.0.3
-
cpe:2.3:a:ckeditor:ckeditor:4.1
-
cpe:2.3:a:ckeditor:ckeditor:4.1.1
-
cpe:2.3:a:ckeditor:ckeditor:4.1.2
-
cpe:2.3:a:ckeditor:ckeditor:4.1.3
-
cpe:2.3:a:ckeditor:ckeditor:4.10.0
-
cpe:2.3:a:ckeditor:ckeditor:4.10.1
-
cpe:2.3:a:ckeditor:ckeditor:4.11.0
-
cpe:2.3:a:ckeditor:ckeditor:4.11.1
-
cpe:2.3:a:ckeditor:ckeditor:4.11.2
-
cpe:2.3:a:ckeditor:ckeditor:4.11.3
-
cpe:2.3:a:ckeditor:ckeditor:4.11.4
-
cpe:2.3:a:ckeditor:ckeditor:4.13.0
-
cpe:2.3:a:ckeditor:ckeditor:4.13.1
-
cpe:2.3:a:ckeditor:ckeditor:4.14
-
cpe:2.3:a:ckeditor:ckeditor:4.14.0
-
cpe:2.3:a:ckeditor:ckeditor:4.14.1
-
cpe:2.3:a:ckeditor:ckeditor:4.15.0
-
cpe:2.3:a:ckeditor:ckeditor:4.15.1
-
cpe:2.3:a:ckeditor:ckeditor:4.16
-
cpe:2.3:a:ckeditor:ckeditor:4.16.0
-
cpe:2.3:a:ckeditor:ckeditor:4.16.1
-
cpe:2.3:a:ckeditor:ckeditor:4.2
-
cpe:2.3:a:ckeditor:ckeditor:4.2.1
-
cpe:2.3:a:ckeditor:ckeditor:4.2.2
-
cpe:2.3:a:ckeditor:ckeditor:4.2.3
-
cpe:2.3:a:ckeditor:ckeditor:4.3.0
-
cpe:2.3:a:ckeditor:ckeditor:4.3.1
-
cpe:2.3:a:ckeditor:ckeditor:4.3.2
-
cpe:2.3:a:ckeditor:ckeditor:4.3.3
-
cpe:2.3:a:ckeditor:ckeditor:4.3.4
-
cpe:2.3:a:ckeditor:ckeditor:4.3.5
-
cpe:2.3:a:ckeditor:ckeditor:4.4.0
-
cpe:2.3:a:ckeditor:ckeditor:4.4.1
-
cpe:2.3:a:ckeditor:ckeditor:4.4.2
-
cpe:2.3:a:ckeditor:ckeditor:4.4.3
-
cpe:2.3:a:ckeditor:ckeditor:4.4.4
-
cpe:2.3:a:ckeditor:ckeditor:4.4.5
-
cpe:2.3:a:ckeditor:ckeditor:4.4.6
-
cpe:2.3:a:ckeditor:ckeditor:4.4.7
-
cpe:2.3:a:ckeditor:ckeditor:4.4.8
-
cpe:2.3:a:ckeditor:ckeditor:4.5.0
-
cpe:2.3:a:ckeditor:ckeditor:4.5.1
-
cpe:2.3:a:ckeditor:ckeditor:4.5.10
-
cpe:2.3:a:ckeditor:ckeditor:4.5.11
-
cpe:2.3:a:ckeditor:ckeditor:4.5.2
-
cpe:2.3:a:ckeditor:ckeditor:4.5.3
-
cpe:2.3:a:ckeditor:ckeditor:4.5.4
-
cpe:2.3:a:ckeditor:ckeditor:4.5.5
-
cpe:2.3:a:ckeditor:ckeditor:4.5.6
-
cpe:2.3:a:ckeditor:ckeditor:4.5.7
-
cpe:2.3:a:ckeditor:ckeditor:4.5.8
-
cpe:2.3:a:ckeditor:ckeditor:4.5.9
-
cpe:2.3:a:ckeditor:ckeditor:4.6.0
-
cpe:2.3:a:ckeditor:ckeditor:4.6.1
-
cpe:2.3:a:ckeditor:ckeditor:4.6.2
-
cpe:2.3:a:ckeditor:ckeditor:4.7.0
-
cpe:2.3:a:ckeditor:ckeditor:4.7.1
-
cpe:2.3:a:ckeditor:ckeditor:4.7.2
-
cpe:2.3:a:ckeditor:ckeditor:4.7.3
-
cpe:2.3:a:ckeditor:ckeditor:4.8.0
-
cpe:2.3:a:ckeditor:ckeditor:4.9.0
-
cpe:2.3:a:ckeditor:ckeditor:4.9.1
-
cpe:2.3:a:ckeditor:ckeditor:4.9.2
-
cpe:2.3:a:oracle:application_express:-
-
cpe:2.3:a:oracle:application_express:18.2
-
cpe:2.3:a:oracle:application_express:19.1
-
cpe:2.3:a:oracle:application_express:19.2
-
cpe:2.3:a:oracle:application_express:20.1
-
cpe:2.3:a:oracle:application_express:20.2
-
cpe:2.3:a:oracle:application_express:21.1.0
-
cpe:2.3:a:oracle:application_express:21.1.0.00.01
-
cpe:2.3:a:oracle:application_express:3.0
-
cpe:2.3:a:oracle:application_express:3.1
-
cpe:2.3:a:oracle:application_express:3.2
-
cpe:2.3:a:oracle:application_express:4.0
-
cpe:2.3:a:oracle:application_express:4.1
-
cpe:2.3:a:oracle:application_express:4.2
-
cpe:2.3:a:oracle:application_express:5.0
-
cpe:2.3:a:oracle:application_express:5.0.4
-
cpe:2.3:a:oracle:application_express:5.1.0
-
cpe:2.3:a:oracle:application_express:5.1.1
-
cpe:2.3:a:oracle:application_express:5.1.2
-
cpe:2.3:a:oracle:application_express:5.1.2.00.09
-
cpe:2.3:a:oracle:application_express:5.1.3
-
cpe:2.3:a:oracle:application_express:5.1.3.00.05
-
cpe:2.3:a:oracle:application_express:5.1.4
-
cpe:2.3:a:oracle:application_express:5.1.4.00.08
-
cpe:2.3:a:oracle:banking_party_management:2.7.0
-
cpe:2.3:a:oracle:commerce_guided_search:11.3.2
-
cpe:2.3:a:oracle:commerce_merchandising:11.3.2
-
cpe:2.3:a:oracle:documaker:12.6.3
-
cpe:2.3:a:oracle:documaker:12.6.4
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.1.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.2.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1
-
cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.0.8.0.0
-
cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.0.0.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:-
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:4.0.1.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1.5
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.0.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.0
-
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.3
-
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57
-
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58
-
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:fedoraproject:fedora:33
-
cpe:2.3:o:fedoraproject:fedora:34
-
cpe:2.3:o:fedoraproject:fedora:35