It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
References
Link | Resource |
---|---|
https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first | Vendor Advisory |
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416 | Release Notes Third Party Advisory |
https://www.oracle.com//security-alerts/cpujul2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
No history.
Information
Published : 2021-01-26 21:15
Updated : 2024-02-28 18:08
NVD link : CVE-2021-26271
Mitre link : CVE-2021-26271
CVE.ORG link : CVE-2021-26271
JSON object : View
Products Affected
oracle
- agile_plm
- application_express
- webcenter_sites
- financial_services_analytical_applications_infrastructure
- jd_edwards_enterpriseone_tools
- siebel_ui_framework
ckeditor
- ckeditor
CWE
CWE-829
Inclusion of Functionality from Untrusted Control Sphere