[Bug 1219300] New: VUL-0: CVE-2021-33829: otrs: ckeditor: cross-site scripting allows remote attackers to inject executable JavaScript code
https://bugzilla.suse.com/show_bug.cgi?id=1219300 Bug ID: 1219300 Summary: VUL-0: CVE-2021-33829: otrs: ckeditor: cross-site scripting allows remote attackers to inject executable JavaScript code Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/301642/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: chris@computersalat.de Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: abergmann@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- OTRS Security Advisory 2024-04 OSA-2024-04 A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because –!> is mishandled. PRODUCT AFFECTED: This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1; OTRSAdvancedEditor: from 6.0.X through 6.0.30, from 7.0.X through 7.0.32, from 8.0.X through 8.0.15, from 2023.X through 2023.1.1. ((OTRS)) Community Edition: from 6.0.1 through 6.0.34 --------------------------- A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. References: https://otrs.com/release-notes/otrs-security-advisory-2024-04/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33829 https://www.cve.org/CVERecord?id=CVE-2021-33829 https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#i... https://bugzilla.redhat.com/show_bug.cgi?id=1974728 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorap... https://www.drupal.org/sa-core-2021-003 https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorap... https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorap... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219300 Maintenance Automation <maint-coord+maintenance-robot@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219300 https://bugzilla.suse.com/show_bug.cgi?id=1219300#c1 Christian Wittmer <chris@computersalat.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED Flags| |needinfo?(security-team@sus | |e.de) CC| |security-team@suse.de --- Comment #1 from Christian Wittmer <chris@computersalat.de> --- Kindly remove that piece of software from the dist. It is EOL for years now. Not getting updates and 6.0.x was the last community release. There is no community edition anymore. This will end up in a 'won't fix' -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219300 Stoyan Manolov <stoyan.manolov@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Flags|needinfo?(security-team@sus | |e.de) | Resolution|--- |WONTFIX CC| |stoyan.manolov@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com