Skip to main content

Ckeditor CVE-2021-26272

MEDIUM
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2021-01-26 cve@mitre.org
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Jan 26, 2021 - 21:15 nvd
MEDIUM 6.5

DescriptionNVD

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).

AnalysisAI

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-829. It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin). Affected products include: Ckeditor, Oracle Agile Plm, Oracle Application Express, Oracle Banking Party Management, Oracle Commerce Merchandising. Version information: before 4.16.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2023-31541 CRITICAL POC
9.8 Jun 13

A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3

CVE-2021-33829 MEDIUM POC
6.1 Jun 09

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1

CVE-2018-17960 MEDIUM POC
6.1 Nov 14

CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. Rated medium severity (CVSS 6.1), thi

CVE-2022-24729 HIGH
7.5 Mar 16

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated high severity (CVSS 7.5), this vulnerability

CVE-2012-2067 MEDIUM
6.8 Sep 05

Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 a

CVE-2021-26271 MEDIUM
6.5 Jan 26

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted tex

CVE-2024-43407 MEDIUM
6.1 Aug 21

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2024-24816 MEDIUM
6.1 Feb 07

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2024-24815 MEDIUM
6.1 Feb 07

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2023-4771 MEDIUM
6.1 Nov 16

A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. Rated me

CVE-2023-28439 MEDIUM
6.1 Mar 22

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2020-27193 MEDIUM
6.1 Nov 12

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run

Share

CVE-2021-26272 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy