[Git][security-tracker-team/security-tracker][master] ckeditor3: link related ckeditor CVEs

Sylvain Beucler (@beuc) beuc at debian.org
Sat May 21 08:53:54 BST 2022 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9a55e943 by Sylvain Beucler at 2022-05-21T09:50:59+02:00
ckeditor3: link related ckeditor CVEs
See https://lists.debian.org/debian-lts/2022/05/msg00018.html

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -18414,6 +18414,8 @@ CVE-2022-24728 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed
 	- ckeditor <unfixed>
 	NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
 	NOTE: https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949 (4.18.0)
+	NOTE: MITRE's referenced patch (above) does not seem related
+	- ckeditor3 <unfixed>
 CVE-2022-24727
 	REJECTED
 CVE-2022-24726 (Istio is an open platform to connect, manage, and secure microservices ...)
@@ -45269,12 +45271,14 @@ CVE-2021-41165 (CKEditor4 is an open source WYSIWYG HTML editor. In affected ver
 	[buster] - ckeditor <no-dsa> (Minor issue)
 	[stretch] - ckeditor <no-dsa> (Minor issue)
 	NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2 (v4.17.0)
+	- ckeditor3 <unfixed>
 CVE-2021-41164 (CKEditor4 is an open source WYSIWYG HTML editor. In affected versions  ...)
 	- ckeditor <unfixed> (bug #999909)
 	[bullseye] - ckeditor <no-dsa> (Minor issue)
 	[buster] - ckeditor <no-dsa> (Minor issue)
 	[stretch] - ckeditor <no-dsa> (Minor issue)
 	NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj (v4.17.0)
+	- ckeditor3 <not-affected> (Advanced Content Filter introduced in v4.1)
 CVE-2021-41163 (Discourse is an open source platform for community discussion. In affe ...)
 	NOT-FOR-US: Discourse
 CVE-2021-41162 (Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta  ...)
@@ -54191,6 +54195,7 @@ CVE-2021-37695 (ckeditor is an open source WYSIWYG HTML editor with rich content
 	[buster] - ckeditor <no-dsa> (Minor issue)
 	NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
 	NOTE: https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
+	- ckeditor3 <unfixed>
 CVE-2021-37694 (@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud S ...)
 	NOT-FOR-US: @asyncapi/java-spring-cloud-stream-template
 CVE-2021-37693 (Discourse is an open-source platform for community discussion. In Disc ...)
@@ -63333,6 +63338,7 @@ CVE-2021-33829 (A cross-site scripting (XSS) vulnerability in the HTML Data Proc
 	[buster] - ckeditor <no-dsa> (Minor issue)
 	NOTE: https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
 	NOTE: https://github.com/ckeditor/ckeditor4/commit/3e426ce34f7fc7bf784624358831ef9e189bb6ed
+	- ckeditor3 <unfixed>
 CVE-2021-33828 (The files_antivirus component before 1.0.0 for ownCloud mishandles the ...)
 	- owncloud <removed>
 CVE-2021-33827 (The files_antivirus component before 1.0.0 for ownCloud allows OS Comm ...)
@@ -82965,6 +82971,7 @@ CVE-2021-26272 (It was possible to execute a ReDoS-type attack inside CKEditor 4
 	[stretch] - ckeditor <postponed> (Fix along next DLA)
 	NOTE: https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
 	NOTE: https://github.com/ckeditor/ckeditor4/commit/467cc95b666d65ba9dc84c05dd760a00395a353a (4.16.0)
+	- ckeditor3 <not-affected> (autolink plugin introduced in v4.5)
 CVE-2021-26271 (It was possible to execute a ReDoS-type attack inside CKEditor 4 befor ...)
 	- ckeditor 4.16.0+dfsg-1 (bug #982587)
 	[buster] - ckeditor <no-dsa> (Minor issue)
@@ -242286,6 +242293,7 @@ CVE-2018-17960 (CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a
 	- ckeditor 4.11.1+dfsg-1 (low)
 	[stretch] - ckeditor <ignored> (Minor issue, XSS through direct copy/paste by victim, no identified patch)
 	[jessie] - ckeditor <ignored> (Minor issue)
+	- ckeditor3 <unfixed> (low)
 	- fckeditor <removed>
 CVE-2018-17959
 	RESERVED
@@ -411026,6 +411034,9 @@ CVE-2014-5191 (Cross-site scripting (XSS) vulnerability in the Preview plugin be
 	- ckeditor 4.4.4+dfsg1-1 (bug #760736)
 	[wheezy] - ckeditor <not-affected> (Preview plugin not yet present)
 	[squeeze] - ckeditor <not-affected> (Preview plugin not yet present)
+	- ckeditor3 <unfixed>
+	NOTE: https://dev.ckeditor.com/browser/CKEditor/trunk/_source/plugins/preview/preview.html?rev=7706 (v3.6.x)
+	NOTE: https://github.com/ckeditor/ckeditor4/commit/b685874c6bc873a76e6e95916c43840a2b7ab08a (v4.4.3)
 CVE-2014-5190 (Cross-site scripting (XSS) vulnerability in captcha-secureimage/test/i ...)
 	NOT-FOR-US: WordPress plugin SI CAPTCHA Anti-Spam
 CVE-2014-5189 (SQL injection vulnerability in lib/optin/optin_page.php in the Lead Oc ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a55e943bca823e36337c8b47cd65adcf0405fd4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a55e943bca823e36337c8b47cd65adcf0405fd4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220521/dffe69a3/attachment.htm>

More information about the debian-security-tracker-commits mailing list