Skip to content

Cross-site Scripting in quill

Moderate severity GitHub Reviewed Published May 10, 2021 to the GitHub Advisory Database • Updated Feb 1, 2023

Package

npm quill (npm)

Affected versions

<= 1.3.7

Patched versions

None

Description

A vulnerability in the HTML editor of Slab Quill allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. No patch exists and no further releases are planned.

This CVE is disputed. Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser. More information can be found here.

References

Published by the National Vulnerability Database Apr 12, 2021
Reviewed May 7, 2021
Published to the GitHub Advisory Database May 10, 2021
Last updated Feb 1, 2023

Severity

Moderate
6.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2021-3163

GHSA ID

GHSA-4943-9vgg-gr5r

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.