Skip to content

Stored Cross-Site-Scripting (XSS) in Markdown Editor

Moderate
avvertix published GHSA-wwcw-h4mf-mvxf Feb 12, 2022

Package

k-box (K-Box)

Affected versions

<0.33.0

Patched versions

0.33.1

Description

Impact

A stored Cross-Site-Scripting (XSS) vulnerability is found in the markdown editor used by the document abstract and markdown file preview. A specifically crafted anchor link can, if clicked, execute untrusted javascript actions, like retrieving user cookies.

Patches

Version 0.33.1 include a patch that allow to discard unsafe links.

References

https://github.com/showdownjs/showdown/wiki/Markdown%27s-XSS-Vulnerability-%28and-how-to-mitigate-it%29

Credits

Thanks to Philipp Fortmann for reporting to us in a responsible manner

For more information

If you have any questions or comments about this advisory:

  • Email us at security [at] oneofftech.xyz

Severity

Moderate

CVE ID

CVE-2022-23637

Weaknesses

No CWEs