It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
References
Link | Resource |
---|---|
https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first | Vendor Advisory |
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416 | Release Notes Third Party Advisory |
https://www.oracle.com//security-alerts/cpujul2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
01 Dec 2021, 16:16
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:* |
|
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory | |
References | (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory |
20 Oct 2021, 11:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Feb 2021, 22:21
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first - Vendor Advisory |
04 Feb 2021, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Feb 2021, 13:29
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-829 | |
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 6.5 |
References | (MISC) https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416 - Release Notes, Third Party Advisory | |
CPE | cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:* |
26 Jan 2021, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-01-26 21:15
Updated : 2023-12-10 13:41
NVD link : CVE-2021-26271
Mitre link : CVE-2021-26271
CVE.ORG link : CVE-2021-26271
JSON object : View
Products Affected
oracle
- webcenter_sites
- financial_services_analytical_applications_infrastructure
- siebel_ui_framework
- jd_edwards_enterpriseone_tools
- agile_plm
- application_express
ckeditor
- ckeditor
CWE
CWE-829
Inclusion of Functionality from Untrusted Control Sphere