CVE-2021-41165 log

Source
Severity Medium
Remote Yes
Type Cross-site scripting
Description
In CKEditor4 before version 4.17.0, as used by Drupal before version 9.2.9, a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code.

In Drupal, an attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.
Group Package Affected Fixed Severity Status Ticket
AVG-2565 drupal 9.2.6-1 9.2.9-1 Medium Fixed
References
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2
https://www.drupal.org/sa-core-2021-011