GHSA-9jp8-cwwx-p64q

Suggest an improvement
Source
https://github.com/advisories/GHSA-9jp8-cwwx-p64q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9jp8-cwwx-p64q/GHSA-9jp8-cwwx-p64q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9jp8-cwwx-p64q
Published
2021-12-01T18:28:38Z
Modified
2024-12-02T05:39:56.175674Z
Summary
XSS in richtext custom tag attributes in ezsystems/ezplatform-richtext
Details

The rich text editor does not escape attribute data when previewing custom tags. This means XSS is possible if custom tags are used, for users who have access to editing rich text content. Frontend content view is not affected, but the vulnerability could be used by editors to attack other editors. The fix ensures custom tag attribute data is escaped in the editor.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-29T20:53:06Z"
}
References

Affected packages

Packagist / ezsystems/ezplatform-admin-ui

Package

Name
ezsystems/ezplatform-admin-ui
Purl
pkg:composer/ezsystems/ezplatform-admin-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.5.0
Fixed
1.5.25.1

Affected versions

v1.*

v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8-rc1
v1.5.8
v1.5.9-rc1
v1.5.9
v1.5.10
v1.5.11
v1.5.12
v1.5.13
v1.5.14
v1.5.15
v1.5.16
v1.5.17
v1.5.18
v1.5.19
v1.5.20
v1.5.21
v1.5.22
v1.5.23
v1.5.24
v1.5.25

Database specific 

{
    "last_known_affected_version_range": "<= 1.5.25"
}