Coordinated Disclosure Timeline
- 2021-09-15: Report sent to os@b3log.org
- 2021-09-17: Emails get bounced back. Request contact publicly
- 2021-09-21: Report sent to 845765@qq.com
- 2021-09-22: Issue collision with a different security researcher
- 2021-09-22: Issues fixed in 1b2382d
Summary
Copy-paste XSS in vditor text editor
Product
vditor
Tested Version
Details
Issue: Copy-paste XSS in vditor (GHSL-2021-1006)
The vditor text editor is vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor.
Proof of concept (tested on Chrome):
- Open this page: cdn.sekurak.pl/copy-paste/playground.html
- Paste the following code into “HTML Input”
<img src="foo" onload="alert(1)" onerror="alert(2)"/> - Click “Copy as HTML”
- Open https://b3log.org/vditor/demo/option-mode.html
- Paste into the text editor.
Note: This issue was found using the following CodeQL query
Impact
This issue may lead to XSS with user interaction
CVE
- CVE-2021-32855
Credit
This issue was discovered by GHSL team member @erik-krogh (Erik Kristensen) using the CodeQL query contributed by @bananabr (Daniel Santos).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1006 in any communication regarding this issue.