Cross-site Scripting (XSS) - Generic in uiwjs/react-md-editor


Reported on

Dec 6th 2021


XSS vulnerability through the markdown editor

Proof of Concept

<IFRAME SRC="javascript:javascript:alert(window.origin);"></IFRAME>

Steps to Reproduce

Visit the demo page. Past the payload in the markdown editor.


  • Steal a user's token
  • Session hijacking ...
We are processing your report and will contact the uiwjs/react-md-editor team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
Jamie Slome
a year ago


Thanks for your report @esidate. The maintainers have requested that we make the report public.

I am going to share the report URL with them on the GitHub Issue now 👍

El Mahdi Sidate
a year ago


Thank you Jamie.

小弟调调™ validated this vulnerability a year ago
El Mahdi Sidate has been awarded the disclosure bounty
The fix bounty is now up for grabs
小弟调调™ marked this as fixed in 3.8.4 with commit d4ffe5 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago

Hello. Is the above patch not applied to the demo site yet?

to join this conversation