Skip to content

XSS in richtext custom tag attributes in ezsystems/ezplatform-richtext

Moderate severity GitHub Reviewed Published Nov 25, 2021 in ezsystems/ezplatform-admin-ui • Updated Jan 9, 2023

Package

composer ezsystems/ezplatform-admin-ui (Composer)

Affected versions

>= 1.5.0, <= 1.5.25

Patched versions

1.5.25.1

Description

The rich text editor does not escape attribute data when previewing custom tags. This means XSS is possible if custom tags are used, for users who have access to editing rich text content. Frontend content view is not affected, but the vulnerability could be used by editors to attack other editors. The fix ensures custom tag attribute data is escaped in the editor.

References

@glye glye published to ezsystems/ezplatform-admin-ui Nov 25, 2021
Reviewed Nov 29, 2021
Published to the GitHub Advisory Database Dec 1, 2021
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-9jp8-cwwx-p64q
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.