CVE-2021-21391

Sep 3, 2024

Published Date: 2021-04-29T01:15Z
Last Modified: 2023-11-07T03:30Z

CVSS Score: 6.5 (MEDIUM)

EPSS Score: 0.48%

Risk Score: 4.55 (MEDIUM)

Risk Score based on CVSS score and EPSS. This score is for reference purposes and is not internationally recognized.

Meter Needle
CVSS: 6.5  |  EPSS: 0.48%

Description: CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.

Mitre ATT&CK Technical v15.1

T1053.002 – At

Technical Analysis & Mitigation Measures

Reference Links

Vendor - Produce - Version

ckeditor5-widget - ckeditor, ckeditor5-paste-from-office - ckeditor, ckeditor5-media-embed - ckeditor, ckeditor5-markdown-gfm - ckeditor, ckeditor5-list - ckeditor, ckeditor5-image - ckeditor, ckeditor5-font - ckeditor, ckeditor5-engine - ckeditor

Disclaimer

The content on this website is automatically sourced from external websites such as the National Vulnerability Database (NVD), GitHub, and other security-related sources. This content is for reference purposes only, and we are not responsible for the accuracy or integrity of the information linked or displayed from these sources.