CVE-2021-37695

🗓️ 12 Aug 2021 23:10:10Reported by GitHub_MType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 330 Views🌐 WEB

Vulnerability in CKEditor 4 Fake Objects package allows injection of malformed HTML, leading to potential JavaScript code execution. Affects CKEditor 4 plugins < 4.16.2

Reporter	Title	Published	Views	Family All 60
IBM Security Bulletins	Security Bulletin: IBM Engineering Lifecycle Management - Jazz Foundation is impacted by vulnerabilities in CKEditor 4.19	29 Aug 202519:15	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in CKEditor library affects IBM Engineering Test Management (ETM) (CVE-2021-32809, CVE-2021-37695)	21 Sep 202309:50	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203	24 Apr 202314:55	–	ibm
IBM Security Bulletins	Security Bulletin: IBM® Engineering Requirements Management DOORS/DWA vulnerabilities addressed in 9.7.2.8	18 Oct 202407:56	–	ibm
IBM Security Bulletins	Security Bulletin: B2B API of IBM Sterling B2B Integrator vulnerable to multiple issues due to CKEditor	3 Jan 202315:55	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Engineering Requirements Management DOORS/DWA vulnerabilities addressed in 9.7.2.10	29 Jul 202522:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling B2B Integrator is affected by multiple vulnerabilities in CKEditor	4 Dec 202415:19	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Engineering Requirements Management DOORS Next uses a CKEditor version affected by multiple vulnerabilities	17 Jan 202517:35	–	ibm
ATTACKERKB	CVE-2021-37695	13 Aug 202100:15	–	attackerkb
Circl	CVE-2021-37695	13 Aug 202107:40	–	circl

NVD

Vulners

Node

ckeditor ckeditorRange<4.16.2

Node

debian debian_linuxMatch9.0

Node

fedoraproject fedoraMatch33

fedoraproject fedoraMatch34

fedoraproject fedoraMatch35

Node

oracle application_expressRange<21.1.4

oracle banking_party_managementMatch2.7.0

oracle commerce_guided_searchMatch11.3.2

oracle commerce_merchandisingMatch11.3.2

oracle documakerMatch12.6.3

oracle documakerMatch12.6.4

oracle financial_services_analytical_applications_infrastructureRange8.0.7–8.1.1

oracle financial_services_analytical_applications_infrastructureMatch8.0.3

oracle financial_services_model_management_and_governanceRange8.0.8.0.0–8.1.0.0.0

oracle jd_edwards_enterpriseone_toolsRange<9.2.6.0

oracle peoplesoft_enterprise_peopletoolsMatch8.57

oracle peoplesoft_enterprise_peopletoolsMatch8.58

oracle peoplesoft_enterprise_peopletoolsMatch8.59

[
  {
    "product": "ckeditor4",
    "vendor": "ckeditor",
    "versions": [
      {
        "status": "affected",
        "version": "< 4.16.2"
      }
    ]
  }
]

Source	Link
lists	www.lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
oracle	www.oracle.com/security-alerts/cpujan2022.html
lists	www.lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
oracle	www.oracle.com/security-alerts/cpuoct2021.html
github	www.github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
github	www.github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
lists	www.lists.debian.org/debian-lts-announce/2021/11/msg00007.html
lists	www.lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/

Parameter	Position	Path	Description	CWE
Fake Objects HTML	path	ckeditor.com/cke4/addon/fakeobjects	Injection of malformed Fake Objects HTML in CKEditor 4 Fake Objects plugin could execute JavaScript	CWE-79

21 Nov 2024 06:15Current

6Medium risk

Vulners AI Score6

CVSS 23.5

CVSS 3.15.4 - 7.3

EPSS0.0074

CWE-79