Fluid Attacks Database

Description

CKEditor 4 ReDoS Vulnerability It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	ckeditor4-dev	>=0 <4.16	4.16
debian 12	ckeditor	>=0 <4.16.0+dfsg-1	4.16.0+dfsg-1
npm	ckeditor	>=4.0 <4.16	4.16
npm	ckeditor4	>=4.0 <4.16	4.16.0
debian 11	ckeditor	>=0 <4.16.0+dfsg-1	4.16.0+dfsg-1

Aliases

1. CVE-2021-262712. NVD-2021-262713. OSV-2021-262714. OSV-DEBIAN-2021-262715. GCVE-2021-262716. SECURITY-TRACKER-CVE-2021-26271

References

1. https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-4162. https://web.archive.org/web/20210128132707/https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first3. https://www.oracle.com//security-alerts/cpujul2021.html4. https://www.oracle.com/security-alerts/cpuoct2021.html5. https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first