Login Sign Up

CVE-2021-32808

7.6 HIGH
Cross-Site Scripting

📋 TL;DR

CVE-2021-32808 is a cross-site scripting (XSS) vulnerability in CKEditor 4 that allows attackers to execute arbitrary JavaScript code by exploiting a flaw in the clipboard Widget plugin when used with the undo feature. It affects all users running CKEditor 4 version 4.13.0 or higher with the vulnerable plugins enabled. The vulnerability enables client-side code execution in the context of the affected web application.

💻 Affected Systems

Products:
  • CKEditor 4
Versions: >= 4.13.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires both clipboard Widget plugin and undo feature to be enabled. Affects all platforms where CKEditor 4 is deployed.

📦 What is this software?

Application Express by Oracle

View all CVEs affecting Application Express →

Banking Party Management by Oracle

View all CVEs affecting Banking Party Management →

Ckeditor by Ckeditor

View all CVEs affecting Ckeditor →

Commerce Guided Search by Oracle

View all CVEs affecting Commerce Guided Search →

Commerce Merchandising by Oracle

View all CVEs affecting Commerce Merchandising →

Documaker by Oracle

View all CVEs affecting Documaker →

Documaker by Oracle

View all CVEs affecting Documaker →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Financial Services Analytical Applications Infrastructure by Oracle

View all CVEs affecting Financial Services Analytical Applications Infrastructure →

Financial Services Model Management And Governance by Oracle

View all CVEs affecting Financial Services Model Management And Governance →

Financial Services Model Management And Governance by Oracle

View all CVEs affecting Financial Services Model Management And Governance →

Jd Edwards Enterpriseone Tools by Oracle

View all CVEs affecting Jd Edwards Enterpriseone Tools →

Peoplesoft Enterprise Peopletools by Oracle

View all CVEs affecting Peoplesoft Enterprise Peopletools →

Peoplesoft Enterprise Peopletools by Oracle

View all CVEs affecting Peoplesoft Enterprise Peopletools →

Peoplesoft Enterprise Peopletools by Oracle

View all CVEs affecting Peoplesoft Enterprise Peopletools →

Siebel Ui Framework by Oracle

View all CVEs affecting Siebel Ui Framework →

Webcenter Sites by Oracle

View all CVEs affecting Webcenter Sites →

Webcenter Sites by Oracle

View all CVEs affecting Webcenter Sites →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of user sessions, credential theft, defacement of web applications, and potential pivot to backend systems if combined with other vulnerabilities.

🟠

Likely Case

Session hijacking, credential theft, and client-side data exfiltration from users interacting with malicious content.

🟢

If Mitigated

Limited impact if proper content security policies (CSP) are implemented and user input is sanitized elsewhere in the application stack.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction with malicious content but doesn't require authentication. Proof of concept is available in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.16.2

Vendor Advisory: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c

Restart Required: No

Instructions:

1. Update CKEditor 4 to version 4.16.2 or later. 2. Replace existing CKEditor files with patched version. 3. Clear browser caches and CDN caches if applicable. 4. Test editor functionality after update.

🔧 Temporary Workarounds

Disable vulnerable plugins

all

Temporarily disable clipboard Widget plugin or undo feature if not essential

Modify CKEditor configuration to remove 'clipboard' and/or 'undo' from plugins list

Implement Content Security Policy

all

Add strict CSP headers to prevent script execution

Add Content-Security-Policy header with script-src 'self' or stricter directives

🧯 If You Can't Patch

  • Implement strict input validation and output encoding for all user-generated content
  • Deploy web application firewall (WAF) rules to detect and block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check CKEditor version in source code or configuration files. If version is 4.13.0 to 4.16.1 and clipboard/undo plugins are enabled, system is vulnerable.

Check Version:

Check CKEditor source files for version number or examine web page source for CKEditor version references

Verify Fix Applied:

Confirm CKEditor version is 4.16.2 or later and test editor functionality with sample malicious content.

📡 Detection & Monitoring

Log Indicators:

  • Unusual editor content submissions containing script tags or JavaScript payloads
  • Multiple undo/redo operations with malformed HTML

Network Indicators:

  • HTTP requests containing CKEditor-specific parameters with script payloads
  • Unusual outbound connections from editor pages

SIEM Query:

web_requests WHERE url CONTAINS 'ckeditor' AND (body CONTAINS '<script>' OR body CONTAINS 'javascript:' OR body CONTAINS 'onload=')

📊 Metadata

CVE ID: CVE-2021-32808
CVSS v3 Score: 7.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
CWE: CWE-79
Published: August 12, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32808, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)