| Package | ckeditor |
|---|---|
| Version | 4.4.4+dfsg1-3+deb8u1 |
| Related CVEs | CVE-2021-33829 CVE-2021-37695 |
CKEditor, an open source WYSIWYG HTML editor with rich content support, which can be embedded into web pages, had two vulnerabilites as follows:
CVE-2021-33829
A cross-site scripting (XSS) vulnerability in the HTML Data
Processor in CKEditor 4 allows remote attackers to inject
executable JavaScript code through a crafted comment because
--!> is mishandled.
CVE-2021-37695
A potential vulnerability has been discovered in CKEditor 4
Fake Objects package. The vulnerability allowed to inject
malformed Fake Objects HTML, which could result in executing
JavaScript code.
For Debian 8 jessie, these problems have been fixed in version 4.4.4+dfsg1-3+deb8u1.
We recommend that you upgrade your ckeditor packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.