Updated advisory posts against rubysec/ruby-advisory-db@0435b90

Author: jamgregory

advisories/_posts/2021-01-26-CVE-2021-26271.md

@@ -0,0 +1,48 @@
+---
+layout: advisory
+title: 'CVE-2021-26271 (ckeditor): Regular expression Denial of Service in dialog
+  plugin'
+comments: false
+categories:
+- ckeditor
+advisory:
+  gem: ckeditor
+  cve: 2021-26271
+  ghsa: f6rf-9m92-x2hh
+  url: https://github.com/ckeditor/ckeditor4/blob/master/CHANGES.md#ckeditor-416
+  title: Regular expression Denial of Service in dialog plugin
+  date: 2021-01-26
+  description: |
+    ## Affected packages
+
+    The vulnerability has been discovered and fixed in the [dialog](https://ckeditor.com/cke4/addon/dialog) plugin. Packages indirectly affected by the issue having dialog plugin dependency:
+
+    - [Link](https://ckeditor.com/cke4/addon/link)
+    - [Image](https://ckeditor.com/cke4/addon/image)
+    - [Enhanced Image](https://ckeditor.com/cke4/addon/image2)
+    - [Code Snippet](https://ckeditor.com/cke4/addon/codesnippet)
+    - [Iframe Dialog](https://ckeditor.com/cke4/addon/iframe)
+
+    ## Impact
+
+    A potential vulnerability has been discovered in CKEditor 4 dialog plugin. The vulnerability allowed to abuse a dialog input validator regular expression, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 4 plugins listed above at version < 4.18.0.
+
+    ## Patches
+
+    The problem has been recognized and patched. The fix will be available in version 4.18.0.
+
+    ## For more information
+
+    Email us at [email protected] if you have any questions or comments about this advisory.
+
+    ## Acknowledgements
+
+    This issue was discovered by the CKEditor 4 team during our regular security audit.
+  patched_versions:
+  - ">= 5.1.2"
+  cvss_v3: 6.5
+  related:
+    url:
+    - https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
+    - https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh
+---

advisories/_posts/2021-05-07-CVE-2020-9281.md

@@ -0,0 +1,34 @@
+---
+layout: advisory
+title: 'CVE-2020-9281 (ckeditor): CKEditor 4.0 vulnerability in the HTML Data Processor'
+comments: false
+categories:
+- ckeditor
+advisory:
+  gem: ckeditor
+  cve: 2020-9281
+  ghsa: vcjf-mgcg-jxjq
+  url: https://github.com/ckeditor/ckeditor4
+  title: CKEditor 4.0 vulnerability in the HTML Data Processor
+  date: 2021-05-07
+  description: |
+    A cross-site scripting (XSS) vulnerability in the HTML Data Processor
+    for CKEditor 4.0 before 4.14.0 allows remote attackers to inject arbitrary web script
+    through a crafted "protected" comment (with the cke_protected syntax).
+  cvss_v3: 6.1
+  patched_versions:
+  - ">= 5.1.2"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-9281
+    - https://github.com/ckeditor/ckeditor4
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/7OJ4BSS3VEAEXPNSOOUAXX6RDNECGZNO/
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/L322YA73LCV3TO7ORY45WQDAFJVNKXBE/
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/M4HHYQ6N452XTCIROFMJOTYEUWSB6FR4/
+    - https://www.oracle.com/security-alerts/cpujan2021.html
+    - https://www.oracle.com/security-alerts/cpuoct2020.html
+    - https://www.oracle.com/security-alerts/cpuApr2021.html
+    - https://www.oracle.com/security-alerts/cpuoct2021.html
+    - https://www.oracle.com/security-alerts/cpujan2022.html
+    - https://github.com/advisories/GHSA-vcjf-mgcg-jxjq
+---

advisories/_posts/2021-06-21-CVE-2021-33829.md

@@ -0,0 +1,36 @@
+---
+layout: advisory
+title: 'CVE-2021-33829 (ckeditor): ckeditor4 vulnerable to cross-site scripting'
+comments: false
+categories:
+- ckeditor
+advisory:
+  gem: ckeditor
+  cve: 2021-33829
+  ghsa: rgx6-rjj4-c388
+  url: https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
+  title: ckeditor4 vulnerable to cross-site scripting
+  date: 2021-06-21
+  description: |
+    A cross-site scripting (XSS) vulnerability in the HTML Data Processor
+    in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject
+    executable JavaScript code through a crafted comment because `--!>` is mishandled.
+  cvss_v3: 6.1
+  unaffected_versions:
+  - "< 5.1.1"
+  patched_versions:
+  - ">= 5.1.2"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-33829
+    - https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
+    - https://www.npmjs.com/package/ckeditor4
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
+    - https://www.drupal.org/sa-core-2021-003
+    - https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
+    - https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2021-33829.yaml
+    - https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2021-33829.yaml
+    - https://github.com/advisories/GHSA-rgx6-rjj4-c388
+---

advisories/_posts/2021-08-23-CVE-2021-32808.md

@@ -0,0 +1,47 @@
+---
+layout: advisory
+title: 'CVE-2021-32808 (ckeditor): Widget feature vulnerability allowing to execute
+  JavaScript code using undo functionality'
+comments: false
+categories:
+- ckeditor
+advisory:
+  gem: ckeditor
+  cve: 2021-32808
+  ghsa: 6226-h7ff-ch6c
+  url: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c
+  title: Widget feature vulnerability allowing to execute JavaScript code using undo
+    functionality
+  date: 2021-08-23
+  description: |
+    ### Affected packages
+    The vulnerability has been discovered in [Widget](https://ckeditor.com/cke4/addon/clipboard) plugin if used alongside [Undo](https://ckeditor.com/cke4/addon/undo) feature.
+
+    ### Impact
+    A potential vulnerability has been discovered in CKEditor 4 [Widget](https://ckeditor.com/cke4/addon/widget) package. The vulnerability allowed to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0.
+
+    ### Patches
+    The problem has been recognized and patched. The fix will be available in version 4.16.2.
+
+    ### For more information
+    Email us at [email protected] if you have any questions or comments about this advisory.
+
+    ### Acknowledgements
+    The CKEditor 4 team would like to thank Anton Subbotin ([skavans](https://github.com/skavans)) for recognizing and reporting this vulnerability.
+  cvss_v3: 7.6
+  unaffected_versions:
+  - "< 5.1.2"
+  patched_versions:
+  - ">= 5.1.2"
+  related:
+    url:
+    - https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-32808
+    - https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
+    - https://www.oracle.com/security-alerts/cpuoct2021.html
+    - https://www.oracle.com/security-alerts/cpujan2022.html
+    - https://github.com/advisories/GHSA-6226-h7ff-ch6c
+---

advisories/_posts/2021-08-23-CVE-2021-32809.md

@@ -0,0 +1,54 @@
+---
+layout: advisory
+title: 'CVE-2021-32809 (ckeditor): Clipboard feature vulnerability allowing to inject
+  arbitrary HTML into the editor using paste functionality'
+comments: false
+categories:
+- ckeditor
+advisory:
+  gem: ckeditor
+  cve: 2021-32809
+  ghsa: 7889-rm5j-hpgg
+  url: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg
+  title: Clipboard feature vulnerability allowing to inject arbitrary HTML into the
+    editor using paste functionality
+  date: 2021-08-23
+  description: |
+    ### Affected packages
+    The vulnerability has been discovered in [clipboard](https://ckeditor.com/cke4/addon/clipboard) plugin. All plugins with [clipboard](https://ckeditor.com/cke4/addon/clipboard) plugin dependency are affected:
+
+    * [clipboard](https://ckeditor.com/cke4/addon/clipboard)
+    * [pastetext](https://ckeditor.com/cke4/addon/pastetext)
+    * [pastetools](https://ckeditor.com/cke4/addon/pastetools)
+    * [widget](https://ckeditor.com/cke4/addon/widget)
+    * [uploadwidget](https://ckeditor.com/cke4/addon/uploadwidget)
+    * [autolink](https://ckeditor.com/cke4/addon/autolink)
+    * [tableselection](https://ckeditor.com/cke4/addon/tableselection)
+
+    ### Impact
+    A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2.
+
+    ### Patches
+    The problem has been recognized and patched. The fix will be available in version 4.16.2.
+
+    ### For more information
+    Email us at [email protected] if you have any questions or comments about this advisory.
+
+    ### Acknowledgements
+    The CKEditor 4 team would like to thank Anton Subbotin ([skavans](https://github.com/skavans)) for recognizing and reporting this vulnerability.
+  cvss_v3: 4.6
+  unaffected_versions:
+  - "< 4.1.2"
+  patched_versions:
+  - ">= 5.1.2"
+  related:
+    url:
+    - https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-32809
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
+    - https://www.oracle.com/security-alerts/cpuoct2021.html
+    - https://www.oracle.com/security-alerts/cpujan2022.html
+    - https://github.com/advisories/GHSA-7889-rm5j-hpgg
+---

advisories/_posts/2021-08-23-CVE-2021-37695.md

@@ -0,0 +1,53 @@
+---
+layout: advisory
+title: 'CVE-2021-37695 (ckeditor): Fake objects feature vulnerability allowing to
+  execute JavaScript code using malformed HTML.'
+comments: false
+categories:
+- ckeditor
+advisory:
+  gem: ckeditor
+  cve: 2021-37695
+  ghsa: m94c-37g6-cjhc
+  url: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
+  title: Fake objects feature vulnerability allowing to execute JavaScript code using
+    malformed HTML.
+  date: 2021-08-23
+  description: |
+    ### Affected packages
+    The vulnerability has been discovered in [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) plugin. All plugins with [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) plugin dependency are affected:
+
+    * [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects)
+    * [Link](https://ckeditor.com/cke4/addon/link)
+    * [Flash](https://ckeditor.com/cke4/addon/flash)
+    * [Iframe](https://ckeditor.com/cke4/addon/iframe)
+    * [Forms](https://ckeditor.com/cke4/addon/forms)
+    * [Page Break](https://ckeditor.com/cke4/addon/pagebreak)
+
+    ### Impact
+    A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2.
+
+    ### Patches
+    The problem has been recognized and patched. The fix will be available in version 4.16.2.
+
+    ### For more information
+    Email us at [email protected] if you have any questions or comments about this advisory.
+
+    ### Acknowledgements
+    The CKEditor 4 team would like to thank Mika Kulmala ([kulmik](https://github.com/kulmik)) for recognizing and reporting this vulnerability.
+  cvss_v3: 7.3
+  patched_versions:
+  - ">= 5.1.2"
+  related:
+    url:
+    - https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-37695
+    - https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
+    - https://www.oracle.com/security-alerts/cpuoct2021.html
+    - https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
+    - https://www.oracle.com/security-alerts/cpujan2022.html
+    - https://github.com/advisories/GHSA-m94c-37g6-cjhc
+---

advisories/_posts/2021-10-13-CVE-2021-26272.md

@@ -0,0 +1,31 @@
+---
+layout: advisory
+title: 'CVE-2021-26272 (ckeditor): Inclusion of Functionality from Untrusted Control
+  Sphere in CKEditor 4'
+comments: false
+categories:
+- ckeditor
+advisory:
+  gem: ckeditor
+  cve: 2021-26272
+  ghsa: wpvm-wqr4-p7cw
+  url: https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first
+  title: Inclusion of Functionality from Untrusted Control Sphere in CKEditor 4
+  date: 2021-10-13
+  description: |
+    It was possible to execute a ReDoS-type attack inside CKEditor 4 before
+    4.16 by persuading a victim to paste crafted URL-like text into the editor, and
+    then press Enter or Space (in the Autolink plugin).
+  cvss_v3: 6.5
+  patched_versions:
+  - ">= 5.1.2"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-26272
+    - https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first
+    - https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
+    - https://www.oracle.com//security-alerts/cpujul2021.html
+    - https://www.oracle.com/security-alerts/cpuoct2021.html
+    - https://www.oracle.com/security-alerts/cpujan2022.html
+    - https://github.com/advisories/GHSA-wpvm-wqr4-p7cw
+---

advisories/_posts/2021-11-17-CVE-2021-41164.md

@@ -0,0 +1,46 @@
+---
+layout: advisory
+title: 'CVE-2021-41164 (ckeditor): Advanced Content Filter (ACF) vulnerability allowing
+  to execute JavaScript code using malformed HTML'
+comments: false
+categories:
+- ckeditor
+advisory:
+  gem: ckeditor
+  cve: 2021-41164
+  ghsa: pvmx-g8h5-cprj
+  url: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj
+  title: Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript
+    code using malformed HTML
+  date: 2021-11-17
+  description: |
+    ### Affected packages
+    The vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4.
+
+    ### Impact
+    A potential vulnerability has been discovered in CKEditor 4 Advanced Content Filter (ACF) core module. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0.
+
+    ### Patches
+    The problem has been recognized and patched. The fix will be available in version 4.17.0.
+
+    ### For more information
+    Email us at [email protected] if you have any questions or comments about this advisory.
+
+    ### Acknowledgements
+    The CKEditor 4 team would like to thank Maurice Dauer ([laytonctf](https://twitter.com/laytonctf)) for recognizing and reporting this vulnerability.
+  cvss_v3: 8.2
+  patched_versions:
+  - ">= 5.1.2"
+  related:
+    url:
+    - https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj
+    - https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-41164
+    - https://www.drupal.org/sa-core-2021-011
+    - https://www.oracle.com/security-alerts/cpujan2022.html
+    - https://www.oracle.com/security-alerts/cpuapr2022.html
+    - https://www.oracle.com/security-alerts/cpujul2022.html
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/
+    - https://lists.fedoraproject.org/archives/list/[email protected]/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/
+    - https://github.com/advisories/GHSA-pvmx-g8h5-cprj
+---