Home > Vulnerability Database > CVE-2021-26272

Mend.io Vulnerability Database

CVE-2021-26272

Good to know:

Date: January 26, 2021

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).

Language: Java

Severity Score

6.5

Related Resources (8)

Url: https://www.oracle.com/security-alerts/cpujan2022.html

Url: https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first

Url: https://github.com/ckeditor/ckeditor4

Url: https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416

Url: https://www.oracle.com//security-alerts/cpujul2021.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-26272

Url: https://www.oracle.com/security-alerts/cpuoct2021.html

Url: https://www.mend.io/vulnerability-database/CVE-2021-26272

Severity Score

6.5

Weakness Type (CWE)

Inclusion of Functionality from Untrusted Control Sphere

CWE-829

Top Fix

Upgrade Version

Upgrade to version mog33/drupal-composer-advanced-template - dev-8.x-dev;raisinpicker/raisinpicker-profile - v0.4-alpha;raisinpicker/raisinpicker-profile - v0.4.4;ahillio/civibase - 8.4.0-beta15;ahillio/civibase - no_fix;vardot/varbase - 8.8.9;vardot/varbase - 8.x-7.2;vardot/varbase - 8.7.5;vardot/varbase - dev-dependabot/npm_and_yarn/trim-newlines-3.0.1;vardot/varbase - 8.8.12;vardot/varbase - dev-dependabot/npm_and_yarn/word-wrap-1.2.4;vardot/varbase - 8.7.2;vardot/varbase - dev-dependabot/npm_and_yarn/json5-1.0.2;vardot/varbase - 9.0.2;vardot/varbase - dev-dependabot/npm_and_yarn/follow-redirects-1.14.7;vardot/varbase - 8.x-6.2;vardot/varbase - dev-dependabot/npm_and_yarn/npm_and_yarn-7e27cc98d8;ckeditor-full - 4.16.0;drupal-ckeditor-libraries-group/autolink - 4.9.1;ahyadessam/laravel-adminlte - 1.0.5;ahyadessam/laravel-adminlte - no_fix;joomlatools/framework-ckeditor - v1.1.0;csoftech/cms - no_fix;intelliants/subrion - v4.2.0;intelliants/subrion - no_fix;intelliants/subrion - v4.0.0;ckeditor4 - 4.16.0;rotary/rotary-base - 9.0.x-dev;benit/ckeditor-dev - 4.0.0;org.webjars.npm:github-com-ckeditor-ckeditor-dev:no_fix;org.webjars.npm:github-com-ckeditor-ckeditor4:no_fix

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-26272

Good to know:

Date: January 26, 2021

Language: Java

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?