CVE-2021-33829

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the HTML Data Processor of CKEditor 4, affecting versions 4.14.0 through 4.16.x before 4.16.1 [1]. The flaw arises from the mishandling of --!> sequences within crafted HTML comments, allowing an attacker to inject executable JavaScript code [1][3].

Exploitation

An attacker can exploit this by supplying a specially crafted HTML comment containing the --!> string to a victim who uses CKEditor 4 in a web application. No special authentication or network position is required; the attack can be delivered via any user-generated content that is processed by the editor's HTML Data Processor [1]. The malicious payload executes when the content is rendered in a browser.

Impact

Successful exploitation enables arbitrary JavaScript execution in the context of the victim's session within the application using CKEditor 4. This can lead to data theft (e.g., session cookies, tokens), content manipulation, or further compromise of the application. The impact is typical of a stored XSS vulnerability with full scope of the browser session [1][3].

Mitigation

CKEditor 4.16.1, released on June 8, 2021, fixes this vulnerability by properly handling --!> in comments [1][3]. Users should upgrade to version 4.16.1 or later. As of June 30, 2023, CKEditor 4 reached its End of Life (EOL) and no longer receives security updates; the open-source version (4.22.1 and below) is also EOL [2]. For continued support, commercial CKEditor 4 LTS is available until December 2028 [2]. Migrating to CKEditor 5 is strongly recommended as the long-term solution [1][2].