CVE-2022-23461 An editor in Jodit Editor is vulnerable to XSS attacks when copying specially crafted input. This issue has not been fully patched.

In addition, Jodit Editor supports only the following HTML tags:

Jodit Editor does not support custom HTML tags, so they will be converted to the above list of supported tags. Inputting specially crafted or malicious HTML in Jodit Editor can result in XSS attacks.For example, if an attacker can inject data into a form that is shared across several URLs (e.g. /form1/), and the data is processed by Jodit Editor, then an attacker can craft a malicious script tag and use it to execute code on the victim’s computer.

2.3

.5 XSS
In order to avoid this issue, please refrain from inputting HTML that is shared across several URLs.

HTML Injection Examples

Timeline

Published on: 09/24/2022 03:15:00 UTC
Last modified on: 09/27/2022 19:25:00 UTC

References

• https://securitylab.github.com/advisories/GHSL-2022-030_xdan_jodit/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23461