Cross-site Scripting (XSS) - Stored in vanessa219/vditor
Valid
Reported on
Jan 24th 2022
Description
The Vanessa219/vditor is a markdown editor supported by browsers. If the user passes javascript:alert(document.domain)
as the URL value when creating a link using the markdown syntax, there is no sanitizing process and the link is created as it is.
Proof of Concept
XSS PoC : [xss](javascript:alert(document.domain))
1. Open the https://ld246.com/guide/markdown
2. Enter the XSS PoC
3. Click the Link
Video : https://www.youtube.com/watch?v=5zzdiBivNSs
Impact
Through this vulnerability, an attacker is capable to execute malicious scripts.
We are processing your report and will contact the
vanessa219/vditor
team within 24 hours.
a year ago
Pocas modified the report
a year ago
to join this conversation