CVE-2021-32809
Arbitrary HTML injection vulnerability in ckeditorckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
We have discovered 8,247 live websites that are affected by CVE-2021-32809.
Affected Software
| Product |  CKEditor |
| Category | Rich Text Editors |
| Vulnerable Domains | 8,247 live websites (70.06% of CKEditor install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 44 versions ( 44.44% of all versions) |
Common Weakness Enumeration
CWE-94 Improper Control of Generation of Code ('Code Injection')Details
- Published - Aug 13, 2021
- Updated - Aug 3, 2024
CWE
CVE References
CWE References
CVE-2021-32809 usage by Country
 United States | 4,105 websites |
 France | 630 websites |
 Germany | 415 websites |
 Iran | 373 websites |
 Korea, South | 264 websites |
 Russia | 217 websites |
 Japan | 190 websites |
 GB | 143 websites |
 Poland | 133 websites |
 Singapore | 123 websites |
CVE-2021-32809 usage by TLD
| .com | 3,038 websites |
| .org | 973 websites |
| .net | 391 websites |
| .fr | 181 websites |
| .ru | 177 websites |
| .de | 149 websites |
| .com.br | 113 websites |
| .pl | 111 websites |
| .eu | 91 websites |
| .cz | 81 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2021-32809
Top websites that are affected by CVE-2021-32809. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.***.au |  Australia | *,*** | |
| *****.net |  Ukraine | **,*** | |
| ****.***********.***.au | Australia | **,*** | |
| ***.org | United States | **,*** | |
| ****.***.au | Australia | **,*** | |
| ********.org | United States | **,*** | |
| *******.***.ua | United States | **,*** | |
| ***.ca | United States | **,*** | |
| ***.***.au | Australia | **,*** | |
| ****************.com | United States | **,*** |
FAQ
CVE-2021-32809 is Improper Control of Generation of Code ('Code Injection') in CKEditor
A total of 8,247 websites have been identified as vulnerable to CVE-2021-32809, discovered through global website indexing conducted by WebTechSurvey.
CKEditor is susceptible to CVE-2021-32809 vulnerability.
CKEditor versions before 4.16.2 are vulnerable to CVE-2021-32809.
Version 4.16.2 of CKEditor addresses the CVE-2021-32809 security vulnerability.
References
- https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html