{"api_version":"1","generated_at":"2026-04-22T17:47:51+00:00","cve":"CVE-2021-41165","urls":{"html":"https://cve.report/CVE-2021-41165","api":"https://cve.report/api/cve/CVE-2021-41165.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-41165","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-41165"},"summary":{"title":"CVE-2021-41165","description":"CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2021-11-17 20:15:00","updated_at":"2022-10-05 12:47:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://www.drupal.org/sa-core-2021-011","name":"https://www.drupal.org/sa-core-2021-011","refsource":"CONFIRM","tags":[],"title":"Access to this page has been denied.","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","name":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - April 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpujan2022.html","name":"https://www.oracle.com/security-alerts/cpujan2022.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - January 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417","name":"https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417","refsource":"MISC","tags":[],"title":"ckeditor4/CHANGES.md at major · ckeditor/ckeditor4 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2","name":"https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2","refsource":"CONFIRM","tags":[],"title":"HTML comments vulnerability allowing to execute JavaScript code · Advisory · ckeditor/ckeditor4 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-41165","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41165","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ckeditor","cpe5":"ckeditor","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"drupal","cpe5":"drupal","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"agile_product_lifecycle_management","cpe6":"9.3.6","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"application_express","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"banking_apis","cpe6":"19.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"banking_apis","cpe6":"19.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"banking_apis","cpe6":"20.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"banking_apis","cpe6":"21.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"18.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"banking_apis","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"banking_digital_experience","cpe6":"19.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"banking_digital_experience","cpe6":"19.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"banking_digital_experience","cpe6":"20.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"banking_digital_experience","cpe6":"21.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"18.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"banking_digital_experience","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"commerce_guided_search","cpe6":"11.3.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"peoplesoft_enterprise_peopletools","cpe6":"8.58","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"peoplesoft_enterprise_peopletools","cpe6":"8.59","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"webcenter_portal","cpe6":"12.2.1.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41165","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"webcenter_portal","cpe6":"12.2.1.4.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-41165","qid":"154106","title":"Drupal Core Cross-Site Scripting (XSS) Vulnerability (SA-CORE-2021-011)"},{"cve":"CVE-2021-41165","qid":"182393","title":"Debian Security Update for ckeditor (CVE-2021-41165)"},{"cve":"CVE-2021-41165","qid":"283229","title":"Fedora Security Update for ckeditor (FEDORA-2022-b61dfd219b)"},{"cve":"CVE-2021-41165","qid":"283475","title":"Fedora Security Update for ckeditor (FEDORA-2022-4c634ee466)"},{"cve":"CVE-2021-41165","qid":"376547","title":"Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUAPR2022)"},{"cve":"CVE-2021-41165","qid":"730266","title":"Drupal Core Cross-Site Scripting (XSS) Vulnerability (SA-CORE-2021-011)"},{"cve":"CVE-2021-41165","qid":"980068","title":"Nodejs (npm) Security Update for ckeditor4 (GHSA-7h26-63m7-qhf2)"},{"cve":"CVE-2021-41165","qid":"997876","title":"PHP (Composer) Security Update for ckeditor/ckeditor (GHSA-7h26-63m7-qhf2)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-41165","STATE":"PUBLIC","TITLE":"HTML comments vulnerability allowing to execute JavaScript code"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"ckeditor4","version":{"version_data":[{"version_value":"< 4.17.0"}]}}]},"vendor_name":"ckeditor"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]},"references":{"reference_data":[{"name":"https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417","refsource":"MISC","url":"https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417"},{"name":"https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2","refsource":"CONFIRM","url":"https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2"},{"url":"https://www.oracle.com/security-alerts/cpujan2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"refsource":"CONFIRM","name":"https://www.drupal.org/sa-core-2021-011","url":"https://www.drupal.org/sa-core-2021-011"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"}]},"source":{"advisory":"GHSA-7h26-63m7-qhf2","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-11-17 20:15:00","lastModifiedDate":"2022-10-05 12:47:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.3,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*","versionEndExcluding":"4.17.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*","versionStartIncluding":"9.2.0","versionEndExcluding":"9.2.9","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*","versionStartIncluding":"9.1.0","versionEndExcluding":"9.1.14","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*","versionStartIncluding":"8.9.0","versionEndExcluding":"8.9.20","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.6:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*","versionStartIncluding":"18.1","versionEndIncluding":"18.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*","versionStartIncluding":"18.1","versionEndIncluding":"18.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*","versionEndExcluding":"22.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"41165","Ordinal":"216960","Title":"CVE-2021-41165","CVE":"CVE-2021-41165","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"41165","Ordinal":"1","NoteData":"CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"41165","Ordinal":"2","NoteData":"2021-11-17","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"41165","Ordinal":"3","NoteData":"2022-02-07","Type":"Other","Title":"Modified"}]}}}