[Pkg-javascript-devel] Bug#999909: ckeditor: CVE-2021-41164 CVE-2021-41165

Neil Williams codehelp at debian.org
Thu Nov 18 10:41:14 GMT 2021 

Source: ckeditor
Version: 4.16.2+dfsg-1
Severity: important
Tags: security
X-Debbugs-Cc: codehelp at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerabilities were published for ckeditor.

CVE-2021-41164[0]:
| CKEditor4 is an open source WYSIWYG HTML editor. In affected versions
| a vulnerability has been discovered in the Advanced Content Filter
| (ACF) module and may affect all plugins used by CKEditor 4. The
| vulnerability allowed to inject malformed HTML bypassing content
| sanitization, which could result in executing JavaScript code. It
| affects all users using the CKEditor 4 at version < 4.17.0. The
| problem has been recognized and patched. The fix will be available in
| version 4.17.0.


CVE-2021-41165[1]:
| CKEditor4 is an open source WYSIWYG HTML editor. In affected version a
| vulnerability has been discovered in the core HTML processing module
| and may affect all plugins used by CKEditor 4. The vulnerability
| allowed to inject malformed comments HTML bypassing content
| sanitization, which could result in executing JavaScript code. It
| affects all users using the CKEditor 4 at version < 4.17.0. The
| problem has been recognized and patched. The fix will be available in
| version 4.17.0.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-41164
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41164
[1] https://security-tracker.debian.org/tracker/CVE-2021-41165
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41165

Please adjust the affected versions in the BTS as needed.



-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.14.0-4-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

More information about the Pkg-javascript-devel mailing list