{"id":"CVE-2021-32808","details":"ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version \u003e= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.","aliases":["GHSA-6226-h7ff-ch6c"],"modified":"2026-05-19T12:02:32.337144898Z","published":"2021-08-12T17:15:08.047Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"33"},{"last_affected":"34"},{"last_affected":"35"}],"vendor_product":"fedoraproject:fedora","source":"CPE_FIELD","cpes":["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*"]},{"extracted_events":[{"fixed":"21.1.4"}],"vendor_product":"oracle:application_express","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:banking_party_management","extracted_events":[{"last_affected":"2.7.0"}],"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:commerce_guided_search","extracted_events":[{"last_affected":"11.3.2"}],"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:commerce_merchandising","extracted_events":[{"last_affected":"11.3.2"}],"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:documaker","extracted_events":[{"last_affected":"12.6.3"},{"last_affected":"12.6.4"}],"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:documaker:12.6.3:*:*:*:*:*:*:*","cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*"]},{"extracted_events":[{"introduced":"8.0.7"},{"last_affected":"8.1.1"}],"vendor_product":"oracle:financial_services_analytical_applications_infrastructure","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:financial_services_model_management_and_governance","extracted_events":[{"last_affected":"8.0.8.0.0"},{"last_affected":"8.1.0.0.0"}],"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.0.8.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.0.0.0:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"9.2.6.0"}],"vendor_product":"oracle:jd_edwards_enterpriseone_tools","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:peoplesoft_enterprise_peopletools","extracted_events":[{"last_affected":"8.57"},{"last_affected":"8.58"},{"last_affected":"8.59"}],"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*","cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*","cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"21.9"}],"vendor_product":"oracle:siebel_ui_framework","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*"]},{"extracted_events":[{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"}],"vendor_product":"oracle:webcenter_sites","source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/"},{"type":"ADVISORY","url":"https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2"},{"type":"ADVISORY","url":"https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ckeditor/ckeditor4","events":[{"introduced":"af6f5152347bcecd5feb6a89a5b7882cc99292a3"},{"fixed":"4e64f672190a14d3c38aebd94ae4fb10c79e4545"}],"database_specific":{"cpe":"cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"4.13.0"},{"fixed":"4.16.2"}],"source":["CPE_FIELD","REFERENCES"]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32808.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/ckeditor/ckeditor4-releases","events":[{"introduced":"cf60389742771d1f1a2ae2c8cc27a69fd93d3fe9"},{"fixed":"0919c6a34271f9776c495e78deff75ffefe52b62"}],"database_specific":{"cpe":"cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"4.13.0"},{"fixed":"4.16.2"}],"source":"CPE_FIELD"}}],"versions":["standard/4.16.1","standard/4.16.0","standard/4.15.1","standard/4.15.0","standard/4.14.1","standard/4.14.0","standard/4.13.1","standard/4.13.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32808.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}