Cross-site Scripting (XSS) - Stored in vanessa219/vditor


Reported on

Dec 10th 2021


the editor has XSS vulnerability

Proof of Concept


<svg><animate onbegin=alert(11) attributeName=x dur=1s>

Open the editor, enter the payload, and trigger the XSS vulnerability

demo pic :


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the vanessa219/vditor team within 24 hours. 6 months ago
We have contacted a member of the vanessa219/vditor team and are waiting to hear back 6 months ago
V validated this vulnerability 6 months ago
ning1022 has been awarded the disclosure bounty
The fix bounty is now up for grabs
4 months ago


V confirmed that a fix has been merged on 8d4d08 4 months ago
The fix bounty has been dropped
to join this conversation