GHSA-fxwm-rx68-p5vx

Source

https://github.com/advisories/GHSA-fxwm-rx68-p5vx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-fxwm-rx68-p5vx/GHSA-fxwm-rx68-p5vx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fxwm-rx68-p5vx

Published

2021-12-01T18:28:29Z

Modified

2024-11-29T05:42:57.262192Z

Summary

XSS in richtext custom tag attributes in ezsystems/ezplatform-richtext

Details

The rich text editor does not escape attribute data when previewing custom tags. This means XSS is possible if custom tags are used, for users who have access to editing rich text content. Frontend content view is not affected, but the vulnerability could be used by editors to attack other editors. The fix ensures custom tag attribute data is escaped in the editor.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-29T20:53:09Z"
}

References

Affected packages

Packagist / ezsystems/ezplatform-richtext

Package

Name: ezsystems/ezplatform-richtext
Purl: pkg:composer/ezsystems/ezplatform-richtext

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.7.1

Affected versions

v2.*

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7