Lucene search

K
osvGoogleOSV:GHSA-M94C-37G6-CJHC
HistoryAug 23, 2021 - 7:42 p.m.

Fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML.

2021-08-2319:42:15
Google
osv.dev
9

0.002 Low

EPSS

Percentile

61.0%

Affected packages

The vulnerability has been discovered in Fake Objects plugin. All plugins with Fake Objects plugin dependency are affected:

Impact

A potential vulnerability has been discovered in CKEditor 4 Fake Objects package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2.

Patches

The problem has been recognized and patched. The fix will be available in version 4.16.2.

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Acknowledgements

The CKEditor 4 team would like to thank Mika Kulmala (kulmik) for recognizing and reporting this vulnerability.

CPENameOperatorVersion
ckeditor4lt4.16.2