https://bugzilla.suse.com/show_bug.cgi?id=1219300 Bug ID: 1219300 Summary: VUL-0: CVE-2021-33829: otrs: ckeditor: cross-site scripting allows remote attackers to inject executable JavaScript code Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/301642/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: chris@computersalat.de Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: abergmann@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- OTRS Security Advisory 2024-04 OSA-2024-04 A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because –!> is mishandled. PRODUCT AFFECTED: This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1; OTRSAdvancedEditor: from 6.0.X through 6.0.30, from 7.0.X through 7.0.32, from 8.0.X through 8.0.15, from 2023.X through 2023.1.1. ((OTRS)) Community Edition: from 6.0.1 through 6.0.34 --------------------------- A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. References: https://otrs.com/release-notes/otrs-security-advisory-2024-04/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33829 https://www.cve.org/CVERecord?id=CVE-2021-33829 https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#i... https://bugzilla.redhat.com/show_bug.cgi?id=1974728 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorap... https://www.drupal.org/sa-core-2021-003 https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorap... https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorap... -- You are receiving this mail because: You are on the CC list for the bug.