A stored XSS vulnerability in the preview boxes in the configuration panel may allow a malicious user to use both label text and references text to inject arbitrary javascript code (via script tags, event handlers, etc.).
Since the code is stored by the plugin, the attacker may be able to target anyone that open the configuration panel of the plugin.
Steps to reproduce
Create a new document with the plugin enabled;
Either leave selected the current category, or create a new one;
In either the label text box or the references text box (or both if you prefer) insert one of the following codes:
<script>alert(1);</script>
<img src=x onerror='alert(1)'/>
Press "Save and apply"
Now, when the victim open the configuration panel and select the category of the step 2, a popup will appear. Categories are shown in alphabetical order, so if the chosen one in step 2 is the first to be shown, the victim does not even need to select it to be affected.
Please note that examples proposed are only for demonstration. An attacker may inject arbitrary harmful javascript code.
Resolution
You need to escape any html tag from within the preview box in the configuration panel.
Overall description
A stored XSS vulnerability in the preview boxes in the configuration panel may allow a malicious user to use both label text and references text to inject arbitrary javascript code (via script tags, event handlers, etc.).
Since the code is stored by the plugin, the attacker may be able to target anyone that open the configuration panel of the plugin.
Steps to reproduce
<script>alert(1);</script><img src=x onerror='alert(1)'/>Please note that examples proposed are only for demonstration. An attacker may inject arbitrary harmful javascript code.
Resolution
You need to escape any html tag from within the preview box in the configuration panel.
Additional information
Assigned CVE-ID: CVE-2019-7250
The text was updated successfully, but these errors were encountered: