CVE-2021-33829
MEDIUM6.1EPSS 65.5%ckeditor4 vulnerable to cross-site scripting
Published: 6/21/2021Modified: 4/28/2026
Description
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
Affected packages (8)
- Bitnami/drupal>= 8.9.0, < 8.9.16, >= 9.0.0, < 9.0.14, >= 9.1.0, < 9.1.9
- Debian/ckeditorfrom 0, < 4.16.0+dfsg-2
- Debian/ckeditorfrom 0, < 4.5.7+dfsg-2+deb9u1
- Debian/ckeditor3from 0
- npm/ckeditor4>= 4.14.0, < 4.16.1
- Packagist/drupal/core>= 8.0.0, < 8.9.16 | >= 9.0.0, < 9.0.14 | >= 9.1.0, < 9.1.9
- Packagist/drupal/core>= 7.0.0, < 7.80
- Packagist/drupal/drupal>= 7.0.0, < 7.80
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (15)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-33829
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-33829
- PATCHhttps://github.com/ckeditor/ckeditor4
- WEBhttps://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2021-33829.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2021-33829.yaml
- WEBhttps://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD
- WEBhttps://www.drupal.org/sa-core-2021-003
- WEBhttps://www.npmjs.com/package/ckeditor4