Severity: high

Cross-Site Scripting

@progress/kendo-angular-editor

Overview

@progress/kendo-angular-editor before version 1.2.3 is vulnerable to Cross-Site Scripting. When the Editor content contains potentially malicious scripts in element event handlers, they get executed.

Adding the following content to the Editor value demonstrates the issue: <img src="" onerror=alert(document.domain)>.

Remediation

Upgrade to version 1.2.3 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Aug 11th, 2020
  2. reported

    Reported by Vaibhav Malwade
    Aug 11th, 2020