CVE-2021-32808 HIGH

CVE-2021-32808: Cross-site scripting in ckeditor via abuse of undo functionality

Vendor Ckeditor

Product ckeditor4

Weakness CWE-79 · XSS

Published August 12, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.

Key dates

02Disclosure timeline

August 12, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-32808 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2021-32808: Cross-site scripting in ckeditor via abuse of undo functionality

01Description

02Disclosure timeline

03References

04Related CVE