Debian 10265 Published by

A ckeditor security update has been released for Debian GNU/Linux 8 Extended LTS.



ELA-513-1 ckeditor security update

CKEditor, an open source WYSIWYG HTML editor with rich content support, which can be embedded into web pages, had two vulnerabilites as follows:

CVE-2021-33829

A cross-site scripting (XSS) vulnerability in the HTML Data
Processor in CKEditor 4 allows remote attackers to inject
executable JavaScript code through a crafted comment because
-- ! > is mishandled.

CVE-2021-37695

A potential vulnerability has been discovered in CKEditor 4
Fake Objects package. The vulnerability allowed to inject
malformed Fake Objects HTML, which could result in executing
JavaScript code.
For Debian 8 jessie, these problems have been fixed in version 4.4.4+dfsg1-3+deb8u1.

We recommend that you upgrade your ckeditor packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-513-1 ckeditor security update