CVE-2021-37695

CVE	CVE-2021-37695
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-08-13 00:15:00 UTC
Updated	2023-11-07 03:37:00 UTC
Description	ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

Problem Types: CWE-79

Type	Vendor	Product	Version	Update	Edition	Language
Application	Ckeditor	Ckeditor	All	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Application	Oracle	Application Express	All	All	All	All
Application	Oracle	Banking Party Management	2.7.0	All	All	All
Application	Oracle	Commerce Guided Search	11.3.2	All	All	All
Application	Oracle	Commerce Merchandising	11.3.2	All	All	All
Application	Oracle	Documaker	12.6.3	All	All	All
Application	Oracle	Documaker	12.6.4	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	8.0.3	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	All	All	All	All
Application	Oracle	Financial Services Model Management And Governance	All	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	All	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.57	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All

Reference	Source	Link	Tags
[SECURITY] Fedora 35 Update: ckeditor-4.16.2-1.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] [DLA 2813-1] ckeditor security update	MLIST	lists.debian.org
[SECURITY] Fedora 33 Update: ckeditor-4.16.2-1.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 33 Update: ckeditor-4.16.2-1.fc33 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
[SECURITY] Fedora 34 Update: ckeditor-4.16.2-1.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 34 Update: ckeditor-4.16.2-1.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML · Advisory · ckeditor/ckeditor4 · GitHub	CONFIRM	github.com
[SECURITY] Fedora 35 Update: ckeditor-4.16.2-1.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Merge pull request #49 from cksource/sec/48 · ckeditor/ckeditor4@de3c001 · GitHub	MISC	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

178885 Debian Security Update for ckeditor (DLA 2813-1)
184188 Debian Security Update for ckeditor (CVE-2021-37695)
198710 Ubuntu Security Notification for CKEditor Vulnerabilities (USN-5340-1)
281934 Fedora Security Update for ckeditor (FEDORA-2021-87578dca12)
281935 Fedora Security Update for ckeditor (FEDORA-2021-72176a63a8)
376257 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJAN2022)
980092 Nodejs (npm) Security Update for ckeditor4 (GHSA-m94c-37g6-cjhc)