Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

WS-2018-0600

Good to know:

icon
icon

Date: December 21, 2018

quill before 1.3.7 is vulnerable to Reverse Tabnabbing. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks.

Language: Java

Severity Score

Related Resources (3)

https://github.com/pusher/quill/commit/b750c9ccc511cc08a1cf748dfb5e826a509fa612
https://github.com/quilljs/quill/pull/2674
https://www.mend.io/vulnerability-database/WS-2018-0600

Severity Score

Weakness Type (CWE)

Improper Access Control

CWE-284

Top Fix

icon

Upgrade Version

Upgrade to version guysolamour/laravel-administrable - v5.2.0;guysolamour/laravel-administrable - v5.5.3;guysolamour/laravel-administrable - dev-dependabot/bundler/docs/nokogiri-1.13.3;guysolamour/laravel-administrable - v5.1.8;guysolamour/laravel-administrable - v5.1.5;guysolamour/laravel-administrable - v5.0.0;guysolamour/laravel-administrable - v5.0.4;guysolamour/laravel-administrable - dev-dependabot/bundler/docs/rake-12.3.3;guysolamour/laravel-administrable - v0.1;guysolamour/laravel-administrable - v2.0;hhniao/laravel-admin - 0.8.1;barrelstrength/sprout-base - dev-dependabot/npm_and_yarn/websocket-extensions-0.1.4;barrelstrength/sprout-base - v1.1.3;barrelstrength/sprout-base - v3.0.1;barrelstrength/sprout-base - v3.0.3;barrelstrength/sprout-base - v2.0.1;barrelstrength/sprout-base - v2.0.3;barrelstrength/sprout-base - v2.0.5;barrelstrength/sprout-base - v3.0.8;barrelstrength/sprout-base - v1.1.5;barrelstrength/sprout-base - v4.0.3;barrelstrength/sprout-base - v1.0.3;barrelstrength/sprout-base - v1.1.6;barrelstrength/sprout-base - v3.0.5;barrelstrength/sprout-base - v2.0.7;barrelstrength/sprout-base - v1.1.0;barrelstrength/sprout-base - v1.0.9;barrelstrength/sprout-base - dev-dependabot/npm_and_yarn/path-parse-1.0.7;barrelstrength/sprout-base - v1.0.2;barrelstrength/sprout-base - v2.0.4;barrelstrength/sprout-base - v1.0.6;barrelstrength/sprout-base - v3.0.2;barrelstrength/sprout-base - v4.0.5;barrelstrength/sprout-base - v4.0.0;barrelstrength/sprout-base - v3.0.7;barrelstrength/sprout-base - v1.1.4;barrelstrength/sprout-base - dev-feature/purge-elements;barrelstrength/sprout-base - v4.0.2;barrelstrength/sprout-base - v3.0.4;barrelstrength/sprout-base - v2.0.2;barrelstrength/sprout-base - v2.0.6;barrelstrength/sprout-base - v3.0.0;barrelstrength/sprout-base - v3.0.10;barrelstrength/sprout-base - v1.0.5;barrelstrength/sprout-base - v4.0.4;barrelstrength/sprout-base - v4.0.1;barrelstrength/sprout-base - v3.0.6;barrelstrength/sprout-base - v2.0.8;barrelstrength/sprout-base - v2.0.10;webreinvent/vaahcms - dev-release/backend-job-batching;webreinvent/vaahcms - dev-feature/modules-page;webreinvent/vaahcms - dev-master;webreinvent/vaahcms - dev-release/vaahcms-setup;webreinvent/vaahcms - dev-snyk-upgrade-2b3a06ccbfca46e8040f51a35d96da64;webreinvent/vaahcms - dev-feature/advanced-jobs-setion;webreinvent/vaahcms - dev-release/v0.1.4;webreinvent/vaahcms - v0.2.5;webreinvent/vaahcms - dev-feature/developing-vaahvue;webreinvent/vaahcms - dev-hotfix/installation-issue-settings.json-removed;webreinvent/vaahcms - 2.0.1;webreinvent/vaahcms - dev-feature/resolve-some-issue;webreinvent/vaahcms - v0.2.4;webreinvent/vaahcms - dev-feature/backend-logo-in-config;webreinvent/vaahcms - dev-release/minor-release-column-indexes;webreinvent/vaahcms - dev-feature/permission-page;webreinvent/vaahcms - dev-feature/themes-page;webreinvent/vaahcms - dev-feature/database-export-and-import;webreinvent/vaahcms - 1.0.0;moman13/dashboard-setup - no_fix;yousry943/easyadmin - dev-dependabot/composer/league/flysystem-1.1.4;yousry943/easyadmin - no_fix;yousry943/easyadmin - dev-dependabot/composer/guzzlehttp/guzzle-6.5.8;zrkb/nexus - dev-dependabot/npm_and_yarn/url-parse-1.5.7;zrkb/nexus - no_fix;zrkb/nexus - dev-dependabot/npm_and_yarn/moment-2.29.2;zrkb/nexus - dev-dependabot/npm_and_yarn/minimist-1.2.6;barrelstrength/sprout-notes - v1.0.0;barrelstrength/sprout-notes - v2.2.2;barrelstrength/sprout-notes - v2.2.1;barrelstrength/sprout-notes - v2.2.3;barrelstrength/sprout-notes - v2.0.1;AutoDomain.Modules.Core.Blazor - 4.1.205;redwine/redwine - dev-new-version;jawad-topdot/laravel-admin - 1.0.10;jawad-topdot/laravel-admin - 1.0.21;jawad-topdot/laravel-admin - 1.0.12;CommonWeb - 2.0.3-alpha005;CommonWeb - 2.0.0-alpha036;CommonWeb - 2.0.0-alpha025;jviatge/satadmin - no_fix;jviatge/satadmin - v1.0.0;moonshine/quill - no_fix;develogs/panel - no_fix;philiplb/crudlex - 0.9;philiplb/crudlex - no_fix;philiplb/crudlex - 0.13.0;capile/tecnodesign - 2.3.80;capile/tecnodesign - 2.2.21;capile/tecnodesign - 2.2.2;capile/tecnodesign - 2.2.7;capile/tecnodesign - 2.3.28;capile/tecnodesign - dev-feature/editor-counter;revise/prime-cms - 0.3.0;revise/prime-cms - 0.3.6;revise/prime-cms - no_fix;revise/prime-cms - 0.1.0;jd-dotlogics/laravel-admin - 2.0.23;jd-dotlogics/laravel-admin - 2.0.26;jd-dotlogics/laravel-admin - 2.0.9;jd-dotlogics/laravel-admin - 2.0.20;jd-dotlogics/laravel-admin - 2.0.11;jd-dotlogics/laravel-admin - 2.0.17;jd-dotlogics/laravel-admin - 2.0.4;jd-dotlogics/laravel-admin - no_fix;acacha/events - 0.1.0;sledov/flarum-ext-quill - no_fix;sledov/flarum-ext-quill - 0.1.0-beta.1;westsoft/acl - no_fix;westsoft/acl - v0.0.8-beta;PWPTemplateCMS - no_fix;hillelcoren/invoice-ninja - v4.5.32;hillelcoren/invoice-ninja - v5.0.12;hillelcoren/invoice-ninja - v3.3.1;hillelcoren/invoice-ninja - v5.1.73;hillelcoren/invoice-ninja - v5.3.20;hillelcoren/invoice-ninja - v3.2.1;hillelcoren/invoice-ninja - v5.0.29;hillelcoren/invoice-ninja - v4.5.45;hillelcoren/invoice-ninja - dev-eway;hillelcoren/invoice-ninja - v4.5.7;hillelcoren/invoice-ninja - v4.4.1;hillelcoren/invoice-ninja - dev-v5-stable;hillelcoren/invoice-ninja - v2.6.6;xzprod/quill-widget - no_fix;mikebywater/kafka-author - 0.1;mikebywater/kafka-author - no_fix;webup/laravel-blog - no_fix;webup/laravel-blog - 0.1;webup/laravel-blog - 0.3;rembon/laravel-crud-generator - no_fix;barrelstrength/sprout-base-fields - v1.0.6;barrelstrength/sprout-base-fields - v1.1.0;barrelstrength/sprout-base-fields - v1.0.3;barrelstrength/sprout-base-fields - dev-dependabot/npm_and_yarn/url-parse-1.5.10;barrelstrength/sprout-base-fields - v1.0.4;barrelstrength/sprout-base-fields - dev-dependabot/npm_and_yarn/minimist-1.2.6;barrelstrength/sprout-base-fields - no_fix;barrelstrength/sprout-base-fields - v1.0.1;barrelstrength/sprout-base-fields - dev-dependabot/npm_and_yarn/json-schema-and-jsprim-0.4.0;barrelstrength/sprout-base-fields - dev-dependabot/npm_and_yarn/postcss-and-laravel-mix-and-resolve-url-loader-8.4.18;barrelstrength/sprout-base-fields - v1.0.2;barrelstrength/sprout-base-fields - v1.0.0;barrelstrength/sprout-base-fields - v1.0.5;maxiter/maxiter - no_fix;dcat-xk/laravel-admin - 0.8.1;omerz/heroadm - no_fix;jackh/yii2-aurora - 1.0.0;dcat/laravel-admin - 0.8.1;groupefbo/ezframe - no_fix;statikbe/laravel-sir-trevor - no_fix;didrive/base - no_fix;didrive/base - 0.0.1;didrive/base - 2.10.0;deshiserver/heroui - no_fix;panel - 0.14.4;panel - 1.2.3;panel - 1.2.0;bakerysoft/laravelbakerysoft - no_fix;odaiatef/crudbooster - v5.5.1;odaiatef/crudbooster - dev-master;odaiatef/crudbooster - v6.0-beta.1;odaiatef/crudbooster - 2.1.x-dev;rdp77/veyaz - no_fix;rainbowl/laravel-admin - 0.8.1;andmarruda/sbblog - no_fix;warrenkfz/laravel-admin - 0.8.1;nowyouwerkn/wecommerce - dev-moon;nowyouwerkn/wecommerce - dev-satellite;nowyouwerkn/wecommerce - 1.5;nowyouwerkn/wecommerce - dev-main;nowyouwerkn/wecommerce - no_fix;liuyi/laravel-admin - 0.8.1;mrmarchone/kayan - no_fix;klezbucket/laravelito - no_fix;rekamy/generator - v2.0.7;rekamy/generator - v5.0.0;rekamy/generator - dev-stable;opoink/framework - v1.0.1;opoink/framework - v1.2.0-beta;opoink/framework - v1.2.0;satriotol/fastcrud - 10.x-dev;moeen1/helpsupport - no_fix;os2display/template-extension-bundle - no_fix;didrive/cms - dev-stable;didrive/cms - 1.0.0;juzaweb/juzacms - dev-bugfix/220-admin-prefix;BizBlocks - no_fix;ngorei/framework - no_fix;ngorei/framework - v2.0.4;chrisbraybrooke/laravel-ecommerce - 0.0.17;chrisbraybrooke/laravel-ecommerce - 0.0.2;chrisbraybrooke/laravel-ecommerce - 0.0.56;chrisbraybrooke/laravel-ecommerce - dev-form-field-key;ajifatur/faturcms - v1.0.0-alpha;karlito-web/layouts - no_fix;ozzzzam/flarum-ext-quill-with-image - 0.1.0-beta.1;ozzzzam/flarum-ext-quill-with-image - no_fix;persist/coreui - no_fix;itshayu/laravel-admin - 0.8.1;miaad/helpsupport - no_fix;maurolacerda-tech/ml-framework - no_fix;ekxs/laravel-admin - 0.8.1;silverstripers/silverstripe-postmarked - no_fix;jackchow/laravel-admin - 0.8.1;jorry2008/dcat-admin - 0.8.1;umkdev/umkkit - no_fix;disatapp/light-blog - no_fix;edguy/admin_panel - no_fix;edguy/admin_panel - 1.0;mirosadoma/amr_components - no_fix;dfront-br/jetstream-crud - 0.0.1;dfront-br/jetstream-crud - no_fix;webcosmonauts/alder - no_fix;visanduma/laravel-formy - no_fix;juzaweb/laravel-cms - dev-feature/laravel-9-support;westsoftware/acl2 - no_fix;yourock/quill - no_fix;mieproject/ui-dashboard - no_fix;mostafa0alii/dashboard-builder - no_fix;pceuropa/yii2-forms - no_fix;pceuropa/yii2-forms - 1.0.0;tig-irapuato/larasuu - no_fix;baoshi/laravel9-admin - 0.8.1;smartysoft/yii2-smartysoft-ample - no_fix;jybtx/backstaged-management - no_fix;wmlc/laravel-admin - 0.8.1;liteas98/cp - no_fix;tuliacms/cms - no_fix;dimaslanjaka/universal-framework - dev-snyk-fix-20c856194ba899c370807ce70750adf2;madtechservices/theme-madmin - no_fix;nuradev/nura24 - no_fix;nuradev/nura24 - dev-dependabot/npm_and_yarn/ini-1.3.8;nuradev/nura24 - dev-dependabot/npm_and_yarn/url-parse-1.5.3;nuradev/nura24 - dev-dependabot/npm_and_yarn/elliptic-6.5.4;salvatori/alma-one - 5.0.5;ofilin/yii2-quill - no_fix;heripermana88/l9vuexy - no_fix;erjon/cone - no_fix;obaydmerz/heroadm - no_fix;mnabialek/laravel-eloquent-filter - dev-dependabot/composer/guzzlehttp/guzzle-7.4.3;tahamazaheri/ticket - no_fix;salvatori/svcms - no_fix;zhenxxin/dcat-admin - 0.8.1;demyanenkomaks/yii2-base - 2.0.0;tarantella110/laravel-admin - 0.8.1;globit/laravel-ticket - no_fix;default64bit/ratech-admin - no_fix;oburatongoi/productivity - 0.0.1;oburatongoi/productivity - no_fix;developeroncall/larateme - v1.0;jxlwqq/quill - 1.0.3;moman12/dashboard_ui - no_fix;sina/shuttle - no_fix;sina/shuttle - dev-tmindiashvili1-patch-1;elefant/cms - dev-rector-first-run;masihfathi/yii2-drag-drop-forms - no_fix;adkats/bfacp - dev-depfu-update-npm-axios-0.21.1;juraev/quill - v0.0.1;thans/laravel-admin - 0.8.1;quill - 2.0.0;quill - 1.3.7;houdunwang/hdcms - dev-dependabot/npm_and_yarn/Modules/Article/eventsource-1.1.1;codegaf/crudgenerator - dev-master;sky9th/skycms - v2.1;liushoukun/laravel-admin - 0.8.1;qsnh/meedu - dev-dependabot/npm_and_yarn/path-parse-1.0.7;moonshine/moonshine - 1.52.0;digitalfront/livewire - no_fix;drongotech/applicationinfo - v1.2.0;mymocms/mymocms - no_fix;shanjing/laravel-admin - 0.8.1;FSW - no_fix;orzcc/laravel-admin - 0.8.1;lee-to/moonshine - 2.x-dev;org.webjars.npm:quill:2.0.0-dev.4;org.webjars.npm:quill:1.3.7;org.webjars.npm:github-com-quilljs-quill:1.3.7;org.webjars.bower:quill:1.3.4

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us