vditor@1.6.5 vulnerabilities

♏ 易于使用的 Markdown 编辑器,为适配不同的应用场景而生

  • latest version

    3.10.8

  • latest non vulnerable version

  • first published

    5 years ago

  • latest version published

    8 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the vditor package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    vditor is a ♏ 易于使用的 Markdown 编辑器,为适配不同的应用场景而生

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improepr user input sanitization. The victim needs to be fooled into copying a malicious payload into the text editor in order to exploit the vulnerability.

    How to fix Cross-site Scripting (XSS)?

    Upgrade vditor to version 3.8.7 or higher.

    <3.8.7
    • M
    Cross-site Scripting (XSS)

    vditor is a ♏ 易于使用的 Markdown 编辑器,为适配不同的应用场景而生

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to an improper sanitization.

    How to fix Cross-site Scripting (XSS)?

    Upgrade vditor to version 3.8.13 or higher.

    <3.8.13
    • M
    Cross-site Scripting (XSS)

    vditor is a ♏ 易于使用的 Markdown 编辑器,为适配不同的应用场景而生

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when a user creates a link using the markdown syntax, the server does not URL-encode the double-quotes, so the user can escape the href attribute.

    How to fix Cross-site Scripting (XSS)?

    Upgrade vditor to version 3.8.13 or higher.

    <3.8.13
    • M
    Cross-site Scripting (XSS)

    vditor is a ♏ 易于使用的 Markdown 编辑器,为适配不同的应用场景而生

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the text editor in the website.

    ###PoC Enter the following payload in the editor (https://ld246.com/guide/markdown):

    </a>
    <svg><animate onbegin=alert(11) attributeName=x dur=1s>
    

    How to fix Cross-site Scripting (XSS)?

    Upgrade vditor to version 3.8.11 or higher.

    <3.8.11