KindEditor 4.1.2 Cross Site Scripting

`  
KindEditor 4.1.2 (name parameter) Reflected XSS Vulnerability  
  
  
Vendor: Shanghai Hao Yue Software Co., Ltd.  
Product web page: http://www.kindeditor.net  
Affected version: 4.1.2 and 4.0.6  
  
Summary: KindEditor online HTML editor is a set of open source, mainly for  
users on the site to get WYSIWYG editing effects, developers can replace the  
traditional multi-line text input box (textarea) KindEditor rich visualization  
text input box.  
  
Desc: KindEditor is prone to a reflected cross-site scripting vulnerability.  
This issue is due to a failure in the application to properly sanitize user-supplied  
input to the 'name' parameter thru the 'index.php' script. Attackers can exploit this  
weakness to execute arbitrary HTML and script code in a user's browser session.  
  
  
--------------------------------- snip ---------------------------------  
/index.php:  
----------  
  
Line 14: editor = K.create('textarea[name="<?php echo $name; ?>"]', {  
  
--------------------------------- snip ---------------------------------  
  
  
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)  
Apache 2.4.2 (Win32)  
PHP 5.4.4  
MySQL 5.5.25a  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2012-5100  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5100.php  
  
  
21.08.2012  
  
---  
  
  
http://localhost/kindeditor/index.php?name=<pre><script>alert('XSS');</script>by ZSL!</pre>  
`