XSS in richtext custom tag attributes in ezsystems/ezplatform-richtext
Moderate severity
GitHub Reviewed
Published
Nov 25, 2021
in
ezsystems/ezplatform-admin-ui
•
Updated Jan 9, 2023
Package
Affected versions
>= 1.5.0, <= 1.5.25
Patched versions
1.5.25.1
Description
Reviewed
Nov 29, 2021
Published to the GitHub Advisory Database
Dec 1, 2021
Last updated
Jan 9, 2023
The rich text editor does not escape attribute data when previewing custom tags. This means XSS is possible if custom tags are used, for users who have access to editing rich text content. Frontend content view is not affected, but the vulnerability could be used by editors to attack other editors. The fix ensures custom tag attribute data is escaped in the editor.
References