vditor@3.4.5 vulnerabilities

♏ 易于使用的 Markdown 编辑器,为适配不同的应用场景而生

Direct Vulnerabilities

Known vulnerabilities in the vditor package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

vditor is a ♏ 易于使用的 Markdown 编辑器,为适配不同的应用场景而生

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improepr user input sanitization. The victim needs to be fooled into copying a malicious payload into the text editor in order to exploit the vulnerability.

How to fix Cross-site Scripting (XSS)?

Upgrade vditor to version 3.8.7 or higher.

<3.8.7
  • M
Cross-site Scripting (XSS)

vditor is a ♏ 易于使用的 Markdown 编辑器,为适配不同的应用场景而生

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to an improper sanitization.

How to fix Cross-site Scripting (XSS)?

Upgrade vditor to version 3.8.13 or higher.

<3.8.13
  • M
Cross-site Scripting (XSS)

vditor is a ♏ 易于使用的 Markdown 编辑器,为适配不同的应用场景而生

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when a user creates a link using the markdown syntax, the server does not URL-encode the double-quotes, so the user can escape the href attribute.

How to fix Cross-site Scripting (XSS)?

Upgrade vditor to version 3.8.13 or higher.

<3.8.13
  • M
Cross-site Scripting (XSS)

vditor is a ♏ 易于使用的 Markdown 编辑器,为适配不同的应用场景而生

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the text editor in the website.

###PoC Enter the following payload in the editor (https://ld246.com/guide/markdown):

</a>
<svg><animate onbegin=alert(11) attributeName=x dur=1s>

How to fix Cross-site Scripting (XSS)?

Upgrade vditor to version 3.8.11 or higher.

<3.8.11