ELA-513-1 ckeditor security update

multiple vulnerabilities

2021-11-09
Packageckeditor
Version4.4.4+dfsg1-3+deb8u1
Related CVEs CVE-2021-33829 CVE-2021-37695

CKEditor, an open source WYSIWYG HTML editor with rich content support, which can be embedded into web pages, had two vulnerabilites as follows:

CVE-2021-33829

A cross-site scripting (XSS) vulnerability in the HTML Data
Processor in CKEditor 4 allows remote attackers to inject
executable JavaScript code through a crafted comment because
--!> is mishandled.

CVE-2021-37695

A potential vulnerability has been discovered in CKEditor 4
Fake Objects package. The vulnerability allowed to inject
malformed Fake Objects HTML, which could result in executing
JavaScript code.

For Debian 8 jessie, these problems have been fixed in version 4.4.4+dfsg1-3+deb8u1.

We recommend that you upgrade your ckeditor packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/