ckeditor4 vulnerable to cross-site scripting
Moderate severity
GitHub Reviewed
Published
Jun 21, 2021
to the GitHub Advisory Database
•
Updated Feb 8, 2024
>= 7.0.0, < 7.80
>= 8.0.0, < 8.9.16
>= 9.0.0, < 9.0.14
>= 9.1.0, < 9.1.9
7.80
8.9.16
9.0.14
9.1.9
>= 7.0.0, < 7.80
>= 8.0.0, < 8.9.16
>= 9.0.0, < 9.0.14
>= 9.1.0, < 9.1.9
7.80
8.9.16
9.0.14
9.1.9
Description
Published by the National Vulnerability Database
Jun 9, 2021
Reviewed
Jun 14, 2021
Published to the GitHub Advisory Database
Jun 21, 2021
Last updated
Feb 8, 2024
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because
--!>
is mishandled.References