[CVE-2019-19466] SCEditor – XSS Vulnerability in Version 2.1.3
Product Information:
Software: SCEditor
Tested Version: 2.1.3, released 04.05.2018
Vulnerability Type: Cross-Site Scripting (CWE-79)
Description: A lightweight, open source, WYSIWYG BBCode and (X)HTML editor. (copied from https://www.sceditor.com/)
Vulnerability description:
There are 3 XSS vulnerabilities in SCEditor version 2.1.3.
The following are the three default features which are vulnerable to XSS:
- Insert image
- Insert email
- Insert link
The relevant code could be found in /src/lib/defaultCommands.js.
editor.wysiwygEditorInsertHtml(
'<img' + attrs + ' src="' + url + '" />' // line 505
);
editor.wysiwygEditorInsertHtml(
'<a href="' + 'mailto:' + email + '">' + // line 550
(text || email) +
'</a>'
);
editor.wysiwygEditorInsertHtml(
'<a href="' + url + '">' + text + '</a>' // line 610
);
Impact:
The 3 identified dom-based XSS have limited impact and are dependent on how these variables are used. Projects implementing SCEditor should take extra care to ensure proper sanitization.
Solution:
- Sanitize the variables mentioned in the vulnerability description section.
Timeline:
Vulnerability found: 1.09.2019
The vendor informed: 01.09.2019 & 26.11.2019
Public Advisory: 05.12.2019 (Passed 90-days since initial contact)
References:
https://github.com/samclarke/SCEditor/commit/7fd14aecc6f0c68f1e8bb98b12f6f0da769c671a – reference for the latest version