CVE-2021-41164

HIGH8.2EPSS 0.08%

Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML

Published: 11/17/2021Modified: 3/13/2026

Also known as:GHSA-pvmx-g8h5-cprjBIT-drupal-2021-41164

Description

### Affected packages The vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. ### Impact A potential vulnerability has been discovered in CKEditor 4 Advanced Content Filter (ACF) core module. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. ### Patches The problem has been recognized and patched. The fix will be available in version 4.17.0. ### For more information Email us at [email protected] if you have any questions or comments about this advisory. ### Acknowledgements The CKEditor 4 team would like to thank Maurice Dauer ([laytonctf](https://twitter.com/laytonctf)) for recognizing and reporting this vulnerability.

Affected packages (3)

Bitnami/drupal>= 8.9.0, < 8.9.20, >= 9.1.0, < 9.1.14, >= 9.2.0, < 9.2.9
Debian/ckeditorfrom 0
npm/ckeditor4from 0, < 4.17.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

Description

Affected packages (3)

CVSS scores

References (13)