[CVE-2019-19466] SCEditor - XSS Vulnerability in Version 2.1.3 • Edric Teo

[CVE-2019-19466] SCEditor – XSS Vulnerability in Version 2.1.3

December 2019

[CVE-2019-19466] SCEditor – XSS Vulnerability in Version 2.1.3

Product Information:

Software: SCEditor

Tested Version: 2.1.3, released 04.05.2018

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: A lightweight, open source, WYSIWYG BBCode and (X)HTML editor. (copied from https://www.sceditor.com/)

Vulnerability description:

There are 3 XSS vulnerabilities in SCEditor version 2.1.3.

The following are the three default features which are vulnerable to XSS:

Insert image
Insert email
Insert link

The relevant code could be found in /src/lib/defaultCommands.js.

editor.wysiwygEditorInsertHtml(
	'<img' + attrs + ' src="' + url + '" />' // line 505
);

editor.wysiwygEditorInsertHtml(
  '<a href="' + 'mailto:' + email + '">' + // line 550
  	 (text || email) +
  '</a>'
  );

editor.wysiwygEditorInsertHtml(
	'<a href="' + url + '">' + text + '</a>' // line 610
 );

Impact:

The 3 identified dom-based XSS have limited impact and are dependent on how these variables are used. Projects implementing SCEditor should take extra care to ensure proper sanitization.

Solution:

Sanitize the variables mentioned in the vulnerability description section.

Timeline:

Vulnerability found: 1.09.2019

The vendor informed: 01.09.2019 & 26.11.2019

Public Advisory: 05.12.2019 (Passed 90-days since initial contact)

References:

https://github.com/samclarke/SCEditor/commit/7fd14aecc6f0c68f1e8bb98b12f6f0da769c671a – reference for the latest version