{"id":"CVE-2021-33829","details":"A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!\u003e is mishandled.","aliases":["BIT-drupal-2021-33829","DRUPAL-CORE-2021-003","GHSA-rgx6-rjj4-c388"],"modified":"2026-02-24T11:39:29.994855Z","published":"2021-06-09T12:15:07.863Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/"},{"type":"ADVISORY","url":"https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html"},{"type":"ADVISORY","url":"https://www.drupal.org/sa-core-2021-003"},{"type":"FIX","url":"https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser"},{"type":"FIX","url":"https://www.drupal.org/sa-core-2021-003"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ckeditor/ckeditor-releases","events":[{"introduced":"0d574568baeddda92f231681ea5aac4860dca4e4"},{"fixed":"a0d9ddd4b80b3dcc1d1bc8c2acc2d43e4c96b660"}]}],"versions":["standard/4.14.0","standard/4.14.1","standard/4.15.0","standard/4.15.1","standard/4.16.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-33829.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/ckeditor/ckeditor4","events":[{"introduced":"8a12b041718e05eeffb62a931d95995ac72cbe22"},{"fixed":"cae20318d46745cc46c811da4e7d68b38ca32449"}]}],"versions":["4.14.0","4.14.1","4.15.0","4.15.1","4.16.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-33829.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}