Vulnerability DatabaseWS-2021-0436
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
WS-2021-0436
December 02, 2024
The rich text editor does not escape attribute data when previewing custom tags. This means XSS is possible if custom tags are used, for users who have access to editing rich text content. Frontend content view is not affected, but the vulnerability could be used by editors to attack other editors. The fix ensures custom tag attribute data is escaped in the editor. ezplatform-admin-ui is vulnerable from 1.5.0 throuhg 1.5.25. Fixed in ezplatform-richtext 1.5.25.1.
Related ResourcesĀ (4)
https://developers.ibexa.co/security-advisories/ibexa-sa-2021-010-xss-in-richtext-custom-tag-attributes
https://github.com/ezsystems/ezplatform-admin-ui/commit/393bd0a68e57aa72f6a1cfef1614b544224bfe6e
https://github.com/ezsystems/ezplatform-admin-ui
https://github.com/ezsystems/ezplatform-admin-ui/security/advisories/GHSA-9jp8-cwwx-p64q
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE