CVE-2021-37695

Q: How do I fix CVE-2021-37695?

1. Update CKEditor 4 to version 4.16.2 or later. 2. Replace the existing CKEditor files with the patched version. 3. Clear any caches that might serve old versions. 4. Test the editor functionality after update.

Q: What is the severity of CVE-2021-37695?

CVE-2021-37695 has a CVSS score of 7.3 (HIGH). CVE-2021-37695 is a cross-site scripting (XSS) vulnerability in CKEditor 4's Fake Objects plugin that allows attackers to inject malicious HTML that can execute JavaScript code in victims' browsers. It affects all users of CKEditor 4 with the Fake Objects plugin enabled in versions before 4.16.2. The vulnerability is particularly dangerous because it can be exploited through user-generated content in WYSIWYG editors.

7.3 HIGH

Cross-Site Scripting

📋 TL;DR

CVE-2021-37695 is a cross-site scripting (XSS) vulnerability in CKEditor 4's Fake Objects plugin that allows attackers to inject malicious HTML that can execute JavaScript code in victims' browsers. It affects all users of CKEditor 4 with the Fake Objects plugin enabled in versions before 4.16.2. The vulnerability is particularly dangerous because it can be exploited through user-generated content in WYSIWYG editors.

💻 Affected Systems

Products:

CKEditor 4

Versions: All versions < 4.16.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the Fake Objects plugin enabled, which is commonly used for embedding non-HTML objects like Flash or Silverlight.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary JavaScript in users' browsers, leading to session hijacking, credential theft, defacement, or redirection to malicious sites.

🟠

Likely Case

Stored XSS attacks where malicious content persists in the application, affecting multiple users who view the compromised content.

🟢

If Mitigated

With proper input validation and output encoding, the risk is reduced, but the vulnerability still exists in the underlying code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to inject content into the CKEditor instance, typically through authenticated user input or content management systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.16.2

Vendor Advisory: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc

Restart Required: No

Instructions:

1. Update CKEditor 4 to version 4.16.2 or later. 2. Replace the existing CKEditor files with the patched version. 3. Clear any caches that might serve old versions. 4. Test the editor functionality after update.

🔧 Temporary Workarounds

Disable Fake Objects Plugin

all

Remove or disable the vulnerable Fake Objects plugin if not required for functionality.

Remove 'fakeobjects' from the CKEditor configuration plugins list

Implement Content Security Policy

all

Add CSP headers to restrict script execution from untrusted sources.

Add 'Content-Security-Policy: script-src 'self'' header to web server configuration

🧯 If You Can't Patch

Implement strict input validation and output encoding for all CKEditor content
Monitor for suspicious HTML patterns in user-generated content

🔍 How to Verify

Check if Vulnerable:

Check CKEditor version in source code or configuration files. If version is below 4.16.2 and Fake Objects plugin is enabled, the system is vulnerable.

Check Version:

Check the ckeditor.js file header or version.txt file in CKEditor installation directory

Verify Fix Applied:

Verify CKEditor version is 4.16.2 or higher and test editor functionality with sample content containing fake objects.

📡 Detection & Monitoring

Log Indicators:

Unusual HTML patterns in content submissions
Multiple failed attempts to submit malformed HTML

Network Indicators:

Unexpected script tags in POST requests to content endpoints
Suspicious JavaScript execution patterns

SIEM Query:

source="web_server" AND ("fakeobjects" OR "cke-plugin-fakeobjects") AND status=200

📊 Metadata

CVE ID: CVE-2021-37695

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-79

Published: August 13, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58 Patch,Third Party Advisory
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory
https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58 Patch,Third Party Advisory
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Application Express by Oracle

Banking Party Management by Oracle

Ckeditor by Ckeditor

Commerce Guided Search by Oracle

Commerce Merchandising by Oracle

Debian Linux by Debian

Documaker by Oracle

Documaker by Oracle

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Financial Services Analytical Applications Infrastructure by Oracle

Financial Services Analytical Applications Infrastructure by Oracle

Financial Services Model Management And Governance by Oracle

Jd Edwards Enterpriseone Tools by Oracle

Peoplesoft Enterprise Peopletools by Oracle

Peoplesoft Enterprise Peopletools by Oracle

Peoplesoft Enterprise Peopletools by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Fake Objects Plugin

Implement Content Security Policy

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities