VDB
CVE-2021-33829
CVE-2021-33829
PUBLISHED
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
EPSS 65.53% · 98.5th percentile
Risk Scores
EPSS Score
65.53%
98.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | drupal | 8.9.0, 9.0.0, 9.1.0 |
| Bitnami | drupal | 9.0.0, 9.1.0, 8.9.0 |
Exploit Intelligence
- CIRCL confirmed: CVE-2021-33829 (circl-sighting)
- CIRCL seen: CVE-2021-33829 (circl-sighting)
- https://www.drupal.org/sa-core-2021-003 (circl)
- https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser (circl)
- FEDORA-2021-51457da891 (circl)
- FEDORA-2021-72176a63a8 (circl)
- FEDORA-2021-87578dca12 (circl)
- [debian-lts-announce] 20211109 [SECURITY] [DLA 2813-1] ckeditor security update (circl)
- Nuclei Template: CVE-2021-33829 (nuclei-template)
- Nuclei Template: CVE-2021-33829 (nuclei-template)
…and 9 more exploits
Timeline
- May 26, 2021 CVE Published
- Jun 10, 2021 EPSS Score
- Sep 29, 2021 EPSS Score
- Oct 5, 2021 EPSS Score
- Oct 11, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Aug 3, 2024 CVE Updated
- Mar 17, 2025 EPSS Score
- Mar 29, 2025 EPSS Score
References
- https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser url
- https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/ url
- https://www.drupal.org/sa-core-2021-003 url
- https://nvd.nist.gov/vuln/detail/CVE-2021-33829 url