Description:
CKEditor version used (4.11.3) has cross-site scripting and denial-of-service vulnerabilities associated with it.
References:https://vulners.com/cve/CVE-2020-9281
The HTML Data Processor for CKEditor, in versions prior to v4.16, allows remote attackers to inject arbitrary web script through a crafted “protected” comment (with the cke_protected syntax).
https://vulners.com/cve/CVE-2021-26272
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Description: CKEditor version used (4.11.3) has cross-site scripting and denial-of-service vulnerabilities associated with it.
References: https://vulners.com/cve/CVE-2020-9281 The HTML Data Processor for CKEditor, in versions prior to v4.16, allows remote attackers to inject arbitrary web script through a crafted “protected” comment (with the cke_protected syntax).
https://vulners.com/cve/CVE-2021-26272 It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
Request: Please update to v4.16