CVE-2021-41164 - log back

CVE-2021-41164 edited at 18 Nov 2021 10:23:08
Description
- In CKEditor4 before version 4.17.0, as used by Drupal beforer version 9.2.9, a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code.
+ In CKEditor4 before version 4.17.0, as used by Drupal before version 9.2.9, a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code.
In Drupal, an attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.
CVE-2021-41164 edited at 17 Nov 2021 22:18:03
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Cross-site scripting
Description
+ In CKEditor4 before version 4.17.0, as used by Drupal beforer version 9.2.9, a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code.
+
+ In Drupal, an attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.
References
+ https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj
+ https://www.drupal.org/sa-core-2021-011
Notes
CVE-2021-41164 created at 17 Nov 2021 22:15:02