jodit@4.0.0-beta.69

Jodit is an awesome and useful wysiwyg editor with filebrowser

  • latest version

    4.12.35

  • first published

    10 years ago

  • latest version published

    2 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the jodit package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Prototype Pollution

    jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser

    Affected versions of this package are vulnerable to Prototype Pollution via the ConfigMerge and ConfigProto helpers in the configuration code. An attacker can mutate Object.prototype by supplying user-controlled configuration to Jodit.configure() with nested keys such as controls.__proto__, causing unexpected property injection that can alter application behavior or trigger denial of service in code that consumes merged options.

    How to fix Prototype Pollution?

    Upgrade jodit to version 4.12.18 or higher.

    <4.12.18
    • M
    Cross-site Scripting (XSS)

    jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the safeHTML sanitizer in src/core/helpers/html/safe-html.ts and the clean-html plugin’s value-set/on-change sanitization paths. An attacker can execute a script in a victim’s page by supplying HTML that hides an event-bearing element inside a MathML/<style> rawtext carrier, then relying on a later reparse to hoist it back into a live HTML node. The sanitizer walks the inert parse tree instead of removing the smuggled foreign HTML itself, so editor.value can retain a live <img> or similar element with handlers such as onload or onfocus. When an application renders that stored value, the handler fires without user interaction, leading to XSS in any consumer that trusts the editor output.

    How to fix Cross-site Scripting (XSS)?

    Upgrade jodit to version 4.12.28 or higher.

    <4.12.28
    • M
    Prototype Pollution

    jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser

    Affected versions of this package are vulnerable to Prototype Pollution via the Jodit.modules.Helpers.set() function. An attacker can inject unexpected properties into Object.prototype by supplying a crafted chain containing __proto__, constructor, or prototype as path segments.

    How to fix Prototype Pollution?

    Upgrade jodit to version 4.12.26 or higher.

    <4.12.26
    • M
    Cross-site Scripting (XSS)

    jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the rich text editor component, allowing an attacker to obtain sensitive information by sending a specially crafted payload.

    How to fix Cross-site Scripting (XSS)?

    There is no fixed version for jodit.

    *
    • M
    Cross-site Scripting (XSS)

    jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when pasting specially constructed input.

    How to fix Cross-site Scripting (XSS)?

    There is no fixed version for jodit.

    *