Cross-Site Scripting in @progress/kendo-angular-editor

2020-08-11T19:40:10
ID GHSA-J7WP-VJJ6-CP5M
Type github
Reporter GitHub Advisory Database
Modified 2020-08-31T20:18:49

Description

Kendo UI for Angular Editor Component (npm package @progress/kendo-angular-editor) before version 1.2.3 is vulnerable to Cross-Site Scripting. When the Editor content contains potentially malicious scripts in element event handlers, they get executed. Adding the following content to the Editor value demonstrates the issue: <img src="" onerror=alert(document.domain)>.