A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| ckeditor4(npm) | 4.14.0 | 4.16.1 | N/A |
| drupal/core(Packagist) | 7.0.0 | 7.80 | N/A |
| drupal/core(Packagist) | 8.0.0 | 8.9.16 | N/A |
| drupal/core(Packagist) | 9.0.0 | 9.0.14 | N/A |
| drupal/core(Packagist) | 9.1.0 | 9.1.9 | N/A |
| drupal/drupal(Packagist) | 7.0.0 | 7.80 | N/A |
| drupal/drupal(Packagist) | 8.0.0 | 8.9.16 | N/A |
| drupal/drupal(Packagist) | 9.0.0 | 9.0.14 | N/A |
| drupal/drupal(Packagist) | 9.1.0 | 9.1.9 | N/A |
CVSS Metrics
