[CVE-2019-19466] SCEditor - XSS Vulnerability in Version 2.1.3

[CVE-2019-19466] SCEditor - XSS Vulnerability in Version 2.1.3


Product Information:

Software: SCEditor

Tested Version: 2.1.3, released 04.05.2018

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: A lightweight, open source, WYSIWYG BBCode and (X)HTML editor. (copied from https://www.sceditor.com/)


Vulnerability description:

There are 3 XSS vulnerabilities in SCEditor version 2.1.3.

The following are the three default features which are vulnerable to XSS:

  1. Insert image
  2. Insert email
  3. Insert link

The relevant code could be found in /src/lib/defaultCommands.js.

editor.wysiwygEditorInsertHtml(
	'<img' + attrs + ' src="' + url + '" />' // line 505
);
editor.wysiwygEditorInsertHtml(
  '<a href="' + 'mailto:' + email + '">' + // line 550
  	 (text || email) +
  '</a>'
  );
editor.wysiwygEditorInsertHtml(
	'<a href="' + url + '">' + text + '</a>' // line 610
 );

Impact:

The 3 identified dom-based XSS have limited impact and dependent on how these variables are used. Projects implementing SCEditor should take extra care to ensure proper sanitisation.


Solution:


Timeline:

Vulnerability found: 1.09.2019

Vendor informed: 01.09.2019 & 26.11.2019

Public Advisory: 05.12.2019 (Passed 90-days since initial contact)


References:

https://github.com/samclarke/SCEditor/commit/7fd14aecc6f0c68f1e8bb98b12f6f0da769c671a - reference for the latest version