Bug 1219300 (CVE-2021-33829)

Summary: VUL-0: CVE-2021-33829: otrs: ckeditor: cross-site scripting allows remote attackers to inject executable JavaScript code
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Christian Wittmer <chris>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, security-team, stoyan.manolov
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/301642/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-29 14:24:46 UTC 
OTRS Security Advisory 2024-04

OSA-2024-04 A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because –!> is mishandled.

PRODUCT AFFECTED:

This issue affects

OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1;

OTRSAdvancedEditor: from 6.0.X through 6.0.30, from 7.0.X through 7.0.32, from 8.0.X through 8.0.15, from 2023.X through 2023.1.1.

((OTRS)) Community Edition: from 6.0.1 through 6.0.34

---------------------------
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in
CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject
executable JavaScript code through a crafted comment because --!> is mishandled.

References:
https://otrs.com/release-notes/otrs-security-advisory-2024-04/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33829
https://www.cve.org/CVERecord?id=CVE-2021-33829
https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
https://bugzilla.redhat.com/show_bug.cgi?id=1974728
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
https://www.drupal.org/sa-core-2021-003
https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/