CVE-2021-33829

Description

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.

How to fix CVE-2021-33829

To remediate CVE-2021-33829, upgrade the affected package to a fixed version below.

• Bitnami/drupal—upgrade to 8.9.16 or later
• —upgrade to 4.16.0+dfsg-2 or later
• —upgrade to 4.5.7+dfsg-2+deb9u1 or later
• —no fix listed
• —upgrade to 4.16.1 or later
• —upgrade to 8.9.16 or later
• —upgrade to 7.80 or later
• —upgrade to 7.80 or later

Is CVE-2021-33829 being exploited?

Likely — EPSS is 65.5%, placing CVE-2021-33829 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (8)

• >= 8.9.0, < 8.9.16, >= 9.0.0, < 9.0.14, >= 9.1.0, < 9.1.9
• from 0, < 4.16.0+dfsg-2
• from 0, < 4.5.7+dfsg-2+deb9u1
• from 0
• >= 4.14.0, < 4.16.1
• >= 8.0.0, < 8.9.16 | >= 9.0.0, < 9.0.14 | >= 9.1.0, < 9.1.9
• >= 7.0.0, < 7.80
• >= 7.0.0, < 7.80

CVSS scores

References (15)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-33829
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-33829
• PATCHgithub.com/ckeditor/ckeditor4
• WEBckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser