Vditor, Cross-Site Scripting via markdown syntax
2022-04-02 12:34:45

Summary

The vanessa219/vditor is a markdown editor supported by browsers. There were two vulnerabilities.

First vulnerability, When a user creates a link using the markdown syntax, the server does not URL-encode the double-quotes, so the user can escape the href attribute and trigger XSS using the on* attribute. Second vulnerability, If the user passes javascript:alert(document.domain) as the URL value when creating a link using the markdown syntax, there is no sanitizing process and the link is created as it is. Both vulnerabilities were patched in v3.8.13 version, and occur in v3.8.12 v3.8.11.

CVE-2022-0341

Proof of Concept (0341)

1
2
3
4
5
6
7
8
XSS PoC : [xss](https://google.com/"//onmousemove="alert(document.domain))
> I can insert an onerror. But I can't log in without a Chinese phone number, so I can't test

1. Open the vanessa219/vditor
2. Enter the XSS PoC (Strangely, it doesn't insert at once, so I have to try inserting several times)
3. When the user hovers the mouse over the link, XSS is triggered via a mouse event.

Video : https://www.youtube.com/watch?v=pKQMbrezdCs

Reporting Timeline (0341)

  • 2022-01-23 12h 24m : Reported this issue via the huntr
  • 2022-01-24 13h 06m : Validated this issue by vanessa219
  • 2022-01-24 13h 06m : Assigned a CVE-2022-0341
  • 2022-03-14 10h 56m : Patched this issue by vanessa219

Reference (0341)

CVE-2022-0350

Proof of Concept (0350)

1
2
3
4
5
6
7
XSS PoC : [xss](javascript:alert(document.domain))

1. Open the vanessa219/vditor
2. Enter the XSS PoC
3. Click the Link

Video : https://www.youtube.com/watch?v=5zzdiBivNSs

Reporting Timeline (0350)

  • 2022-01-24 13h 11m : Reported this issue via the huntr
  • 2022-01-25 00h 11m : Validated this issue by vanessa219/vditor
  • 2022-01-25 00h 11m : Assigned a CVE-2022-0350
  • 2022-03-31 22h 57m : Patched this issue by vanessa219

Reference (0350)

Prev
2022-04-02 12:34:45
Next