Pandao editor.md vulnerable to XSS in IMG attributes

Description

Pandao Editor.md 1.5.0 allows XSS via crafted attributes of an invalid IMG element.

Recommendation

No fix is available yet. Followings are affected versions:

• = 1.5.0

References

• GHSA-vjcj-5g2r-vxqc
• CVE-2018-16330
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Pandao editor.md vulnerable to DOM XSS - CVE-2018-19056
• Pandao Editor.md vulnerable to cross-site scripting (XSS) in editor parameter - CVE-2020-19698
• Pandao Editor.md vulnerable to cross-site scripting (XSS) in iframe src parameter - CVE-2020-19697
• Bootstrap vulnerable to Cross-Site Scripting (XSS) - CVE-2018-14040

Tags:

npm

editor.md