Homepage

tui-editor@1.0.1 vulnerabilities

GFM Markdown Wysiwyg Editor - Productive and Extensible

  • latest version

    1.4.10

  • first published

    6 years ago

  • latest version published

    5 years ago

  • licenses detected

  • View tui-editor package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the tui-editor package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    tui-editor is a GFM Markdown Wysiwyg Editor.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Base tags are not sanitized which can be leveraged for XSS.

    How to fix Cross-site Scripting (XSS)?

    There is no fixed version for tui-editor.

    *
    • M
    Cross-site Scripting (XSS)

    tui-editor is a GFM Markdown Wysiwyg Editor.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via MarkdownPreview.

    How to fix Cross-site Scripting (XSS)?

    A fix was pushed into the master branch but not yet published.

    *
    • M
    Denial of Service (DoS)

    tui-editor is a GFM Markdown Wysiwyg Editor.

    Affected versions of this package are vulnerable to Denial of Service (DoS) by typing: <img name=createElement>, which causes document.createElement to refer to the DOM Element instead of the createElement function.

    How to fix Denial of Service (DoS)?

    There is no fixed version for tui-editor.

    *
    • M
    Cross-site Scripting (XSS)

    tui-editor is a GFM Markdown Wysiwyg Editor.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). When used in WYSIWYG only mode, it is affected by a persistent XSS which requires user interaction. The root cause is that firstLine is not sanitized properly.

    How to fix Cross-site Scripting (XSS)?

    Upgrade tui-editor to version 2.2.0 or higher.

    <2.2.0
    • M
    Cross-site Scripting (XSS)

    tui-editor is a GFM Markdown Wysiwyg Editor.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). JavaScript inserted into the editor is not sanitized by the library.

    PoC

    <img foo=">" src=x onerror="alert(1)">
<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">
<svg onload="javascript:alert(document.cookie)" xmlns="#"></svg>

    How to fix Cross-site Scripting (XSS)?

    There is no fixed version for tui-editor.

    >=0.0.0
    Go back to all versions of this package