Description
A vulnerability in the HTML editor of Slab Quill allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. No patch exists and no further releases are planned.
This CVE is disputed.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.3.7
References
- GHSA-4943-9vgg-gr5r
- burninatorsec.blogspot.com
- quilljs.com
- CVE-2021-3163
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Prototype Pollution in lodash - CVE-2018-3721
- Prototype Pollution in async - CVE-2021-43138
- Joplin Remote Code Execution - CVE-2022-40277
- Validation Bypass in kind-of - CVE-2019-20149
- Tags:
- npm
- quill
Anything's wrong? Let us know Last updated on August 09, 2024