Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qdjRjLTdqcXEtbTM0eM4AAnWr
CKEditor 4 ReDoS Vulnerability
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
Permalink: https://github.com/advisories/GHSA-jv4c-7jqq-m34xJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qdjRjLTdqcXEtbTM0eM4AAnWr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 5 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Identifiers: GHSA-jv4c-7jqq-m34x, CVE-2021-26271
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-26271
- https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://web.archive.org/web/20210128132707/https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first
- https://github.com/advisories/GHSA-jv4c-7jqq-m34x
Blast Radius: 0.0
Affected Packages
npm:ckeditor4-dev
Dependent packages: 1Dependent repositories: 1
Downloads: 44 last month
Affected Version Ranges: < 4.16
Fixed in: 4.16
All affected versions: 4.13.0, 4.13.1, 4.14.0, 4.14.1, 4.15.0, 4.15.1
All unaffected versions: 4.16.0