Cross-Site Scripting in @progress/kendo-angular-editor
2020-08-11T19:40:10
ID GHSA-J7WP-VJJ6-CP5M Type github Reporter GitHub Advisory Database Modified 2020-08-31T20:18:49
Description
Kendo UI for Angular Editor Component (npm package @progress/kendo-angular-editor) before version 1.2.3 is vulnerable to Cross-Site Scripting. When the Editor content contains potentially malicious scripts in element event handlers, they get executed.
Adding the following content to the Editor value demonstrates the issue: <img src="" onerror=alert(document.domain)>.
{"id": "GHSA-J7WP-VJJ6-CP5M", "bulletinFamily": "software", "title": "Cross-Site Scripting in @progress/kendo-angular-editor", "description": "Kendo UI for Angular Editor Component (npm package @progress/kendo-angular-editor) before version 1.2.3 is vulnerable to Cross-Site Scripting. When the Editor content contains potentially malicious scripts in element event handlers, they get executed.\nAdding the following content to the Editor value demonstrates the issue: `<img src=\"\" onerror=alert(document.domain)>`.", "published": "2020-08-11T19:40:10", "modified": "2020-08-31T20:18:49", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://github.com/advisories/GHSA-j7wp-vjj6-cp5m", "reporter": "GitHub Advisory Database", "references": ["https://github.com/advisories/GHSA-j7wp-vjj6-cp5m", "https://stackblitz.com/edit/angular-6xzuzp-tef7lb?file=app/app.component.ts"], "cvelist": [], "type": "github", "lastseen": "2020-08-31T23:57:28", "edition": 2, "viewCount": 15, "enchantments": {"dependencies": {"references": [{"type": "github", "idList": ["GHSA-J7WP-VJJ6-CP5M"]}], "modified": "2020-08-31T23:57:28", "rev": 2}, "score": {"value": 4.7, "vector": "NONE", "modified": "2020-08-31T23:57:28", "rev": 2}, "vulnersScore": 4.7}, "affectedSoftware": [{"name": "@progress/kendo-angular-editor", "operator": "lt", "version": "1.2.3"}], "scheme": null}
