It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
References
Link | Resource |
---|---|
https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first | Vendor Advisory |
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416 | Release Notes Third Party Advisory |
https://www.oracle.com//security-alerts/cpujul2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |
https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first | Vendor Advisory |
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416 | Release Notes Third Party Advisory |
https://www.oracle.com//security-alerts/cpujul2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
21 Nov 2024, 05:56
Type | Values Removed | Values Added |
---|---|---|
References | () https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first - Vendor Advisory | |
References | () https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416 - Release Notes, Third Party Advisory | |
References | () https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory |
Information
Published : 2021-01-26 21:15
Updated : 2024-11-21 05:56
NVD link : CVE-2021-26271
Mitre link : CVE-2021-26271
CVE.ORG link : CVE-2021-26271
JSON object : View
Products Affected
oracle
- financial_services_analytical_applications_infrastructure
- webcenter_sites
- application_express
- siebel_ui_framework
- agile_plm
- jd_edwards_enterpriseone_tools
ckeditor
- ckeditor
CWE
CWE-829
Inclusion of Functionality from Untrusted Control Sphere