-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS Vulnerability Report: Discovering XSS Vulnerability through Data Schema Manipulation #4638
Comments
The hacking demonstration is version 0.8.18, but I also succeeded in that attack in version 0.8.20. [filtering code] |
I think the html code should be cleaned and filtered on the server side. For your example, you could also use F12 and inject an alert without any summernote. |
I also agree to filter on the server. The vulnerability could cause Stored XSS, and it can be redirected to a malicious site. It's high risk and there are a lot of exploitable scenarios. I think it needs to be fixed. |
see #4642 |
Checklist
Steps to reproduce
Step1. Click on the "Insert Image" button within the Summernote functionality.
Step2. Select an arbitrary image and insert it.
Step3. Click on the "Code View" button.
Step4. Attempt an XSS attack by manipulating the code of the inserted image.
<iframe src="data:text/html;base64,PGltZyBzcmM9MSBvbmVycm9yPXdpbmRvdy5vcGVuKCdodHRwczovL3d3dy5nb29nbGUuY29tJyk+">
Step5. Confirm that the Base64-encoded XSS attack code is indeed stored and operational, demonstrating its functionality.
Expected behavior
[Expected behavior]
I expected that upon following the outlined steps, the Summernote functionality would insert the selected image as intended. Additionally, I anticipated that the Code View feature would allow for the manipulation of the inserted image's code. However, I did not expect the system to accept and execute the Base64-encoded XSS attack code, as this would indicate a vulnerability in the application's security measures.
Current behavior
[Current behavior]
After following the specified steps, the Summernote functionality successfully inserts the selected image into the editor. When switching to Code View and attempting to manipulate the code of the inserted image with Base64-encoded XSS attack code, the application does not prevent the insertion or execution of the malicious code. This behavior was observed in version 0.8.18 during my demonstration. Furthermore, similar findings were confirmed in a different environment running version 0.8.20, indicating that the vulnerability persists across multiple versions. This poses a serious security risk as it allows for potential exploitation of cross-site scripting vulnerabilities.
2024-05-09.23.35.24.mp4
Minimal example reproducing the issue
<iframe src="data:text/html;base64,PGltZyBzcmM9MSBvbmVycm9yPXdpbmRvdy5vcGVuKCdodHRwczovL3d3dy5nb29nbGUuY29tJyk+">Environment
The text was updated successfully, but these errors were encountered: