Veracode Vulnerability DatabaseVERACODE:43626Cross Site Scripting (XSS)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
25.8%
quill-mention is vulnerable to Cross Site Scripting. The vulnerability is due to mention.js and quill.mention.js as there is no escaping or sanitization for the list items which are rendered using innerHTML. This allows an attacker to insert a malicious script in innerHTML. When the script is rendered on the web page, it will get executed and leads to a potential Cross-site Scripting (XSS) attack.
References
codepen.io/ALiangLiang/pen/mdQMJXK
github.com/quill-mention/quill-mention/blob/0aa9847719257496b14ac5401872c4e2ffcbc3d1/src/quill.mention.js%23L391
github.com/quill-mention/quill-mention/commit/e85262ddced0a7f0b6fc8350d236a68bd1e28385
github.com/quill-mention/quill-mention/issues/255
github.com/quill-mention/quill-mention/pull/341
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
25.8%