Arbitrary Code Execution

Affecting quill package, versions >=1.0.0-beta.0 <1.0.4

Do your applications use this vulnerable package? Test your applications

Overview

quill is powerful, rich text editor. Affected versions of the package are vulnerable to Arbitrary Code Execution due to not sanitizing user input when in the pasteHTML() function. The function was renamed, deprecated and was set to be removed in version 2.0.0.

var quill = new Quill('#editor', {
  theme: 'snow'
});

quill.pasteHTML('<img src=// onerror="alert(\'Not Found!\')">');

Remediation

Upgrade quill to version 1.0.4 or higher.

References

CVSS Score

5.4
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Credit
Sajjad Hashemian
CWE
CWE-94
Snyk ID
npm:quill:20160916
Disclosed
15 Sep, 2016
Published
28 Feb, 2017