Vditor allows Cross-site Scripting via an attribute of an `A` element
- Severity:
- Medium
Description
Vditor 3.10.3 allows XSS via an attribute of an A element.
NOTE: the vendor indicates that a user is supposed to mitigate this via sanitize=true.
Recommendation
No fix is available yet. Followings are affected versions:
- = 3.10.3
References
Related Issues
- Trix allows Cross-site Scripting via `javascript:` url in a link - CVE-2025-21610
- Vega allows Cross-site Scripting via the vlSelectionTuples function - CVE-2025-25304
- Froala WYSIWYG editor allows cross-site scripting (XSS) - CVE-2024-51434
- Vega allows Cross-site Scripting via the vlSelectionTuples function (GHSA-mp7w-mhcv-673j) - CVE-2025-25304
- Tags:
- npm
- vditor
Anything's wrong? Let us know Last updated on May 03, 2024