vditor Vulnerable to Cross-site Scripting in SVG events

Description

vditor does not filter user input in SVG events, leading to XSS

Recommendation

Update the vditor package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.8.11
• Patched version(s): 3.8.11

References

• GHSA-cxm3-v4mv-6mh8
• huntr.dev
• CVE-2021-4103
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Vditor Cross-site Scripting vulnerability - CVE-2021-32855
• Joplin vulnerable to Cross-site Scripting in notes - CVE-2021-37916
• Cross-site Scripting in vditor (GHSA-pq37-4c4g-v38c) - CVE-2022-0341
• Margox Braft-Editor Cross-site Scripting Vulnerability - CVE-2021-27524

Tags:

npm

vditor