Vditor, Cross-Site Scripting via markdown syntax
2022-04-02 12:34:45
Summary
The vanessa219/vditor is a markdown editor supported by browsers. There were two vulnerabilities.
First vulnerability, When a user creates a link using the markdown syntax, the server does not URL-encode the double-quotes, so the user can escape the href attribute and trigger XSS using the on* attribute. Second vulnerability, If the user passes javascript:alert(document.domain) as the URL value when creating a link using the markdown syntax, there is no sanitizing process and the link is created as it is. Both vulnerabilities were patched in v3.8.13 version, and occur in v3.8.12 v3.8.11.
CVE-2022-0341
Proof of Concept (0341)
1 | XSS PoC : [xss](https://google.com/"//onmousemove="alert(document.domain)) |
Reporting Timeline (0341)
- 2022-01-23 12h 24m : Reported this issue via the huntr
- 2022-01-24 13h 06m : Validated this issue by vanessa219
- 2022-01-24 13h 06m : Assigned a CVE-2022-0341
- 2022-03-14 10h 56m : Patched this issue by vanessa219
Reference (0341)
CVE-2022-0350
Proof of Concept (0350)
1 | XSS PoC : [xss](javascript:alert(document.domain)) |
Reporting Timeline (0350)
- 2022-01-24 13h 11m : Reported this issue via the huntr
- 2022-01-25 00h 11m : Validated this issue by vanessa219/vditor
- 2022-01-25 00h 11m : Assigned a CVE-2022-0350
- 2022-03-31 22h 57m : Patched this issue by vanessa219