Vulnerability Name: CVE-2021-37695 (CCN-207431) Assigned: 2021-08-12 Published: 2021-08-12 Updated: 2022-02-28 Summary: ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2. CVSS v3 Severity: 5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): RequiredScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 7.0 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): None
CVSS v2 Severity: 3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
8.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): None
Vulnerability Type: CWE-79 Vulnerability Consequences: Cross-Site Scripting References: Source: MITRECVE-2021-37695 CKEditor ckeditor-cve202137695-xss(207431) https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58 Fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc [debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update FEDORA-2021-51457da891 FEDORA-2021-72176a63a8 FEDORA-2021-87578dca12 B2B API of IBM Sterling B2B Integrator vulnerable to multiple issues due to CKEditor IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203 Oracle Critical Patch Update Advisory - January 2022 https://www.oracle.com/security-alerts/cpujan2022.html Oracle Critical Patch Update Advisory - October 2021 https://www.oracle.com/security-alerts/cpuoct2021.html Vulnerable Configuration: Configuration 1 :cpe:/a:ckeditor:ckeditor:*:*:*:*:*:*:*:* (Version < 4.16.2)Configuration 2 :cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:* Configuration 3 :cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:* OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:* OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:* Configuration 4 :cpe:/a:oracle:application_express:*:*:*:*:*:*:*:* (Version < 21.1.4)OR cpe:/a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:* OR cpe:/a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* OR cpe:/a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:* OR cpe:/a:oracle:documaker:12.6.3:*:*:*:*:*:*:* OR cpe:/a:oracle:documaker:12.6.4:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:* OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* (Version >= 8.0.7 and <= 8.1.1) OR cpe:/a:oracle:financial_services_model_management_and_governance:*:*:*:*:*:*:*:* (Version >= 8.0.8.0.0 and <= 8.1.0.0.0) OR cpe:/a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* (Version < 9.2.6.0) OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:ckeditor:ckeditor:4.16.0:*:*:*:*:node.js:*:* AND cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:engineering_workflow_management:7.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:engineering_workflow_management:7.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.1.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.2.0:*:*:*:standard:*:*:* BACK
ckeditor ckeditor *
debian debian linux 9.0
fedoraproject fedora 33
fedoraproject fedora 34
fedoraproject fedora 35
oracle application express *
oracle banking party management 2.7.0
oracle commerce guided search 11.3.2
oracle commerce merchandising 11.3.2
oracle documaker 12.6.3
oracle documaker 12.6.4
oracle financial services analytical applications infrastructure 8.0.3
oracle financial services analytical applications infrastructure *
oracle financial services model management and governance *
oracle jd edwards enterpriseone tools *
oracle peoplesoft enterprise peopletools 8.57
oracle peoplesoft enterprise peopletools 8.58
oracle peoplesoft enterprise peopletools 8.59
ckeditor ckeditor 4.16.0
oracle peoplesoft enterprise peopletools 8.57
ibm sterling b2b integrator 6.0.0.0
ibm sterling b2b integrator 6.1.0.0
ibm engineering workflow management 7.0.1
ibm engineering workflow management 7.0.2
ibm sterling b2b integrator 6.1.1.0
ibm sterling b2b integrator 6.1.2.0
Denotes that component is vulnerable