Описание
Cross-Site Scripting in @ckeditor/ckeditor5-link
Versions of status-board prior to 10.0.1 are vulnerable to Cross-Site Scripting. The _createPreviewButton() function fails to sanitize the href attribute of a created <a> tag. This may allow attackers to execute arbitrary JavaScript in a victim's browser.
Recommendation
Upgrade to version 10.0.1 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-11093
- https://github.com/ckeditor/ckeditor5-link/commit/8cb782eceba10fc481e4021cb5d25b2a85d1b04e
- https://ckeditor.com/blog/CKEditor-5-v10.0.1-released
- https://github.com/advisories/GHSA-gvpx-9459-w3mj
- https://github.com/ckeditor/ckeditor5-link/blob/master/CHANGELOG.md#1001-2018-05-22
- https://snyk.io/vuln/SNYK-JS-CKEDITORCKEDITOR5LINK-72892
- https://www.npmjs.com/advisories/1154
Пакеты
@ckeditor/ckeditor5-link
>= 0.3.0, < 10.0.1
10.0.1
Связанные уязвимости
Cross-site scripting (XSS) vulnerability in the Link package for CKEditor 5 before 10.0.1 allows remote attackers to inject arbitrary web script through a crafted href attribute of a link (A) element.
Cross-site scripting (XSS) vulnerability in the Link package for CKEditor 5 before 10.0.1 allows remote attackers to inject arbitrary web script through a crafted href attribute of a link (A) element.