CVE-2021-42228 – kindeditor

Package

Manager: npm
Name: kindeditor
Vulnerable Version: >=0 <=4.1.12

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00186 pctl0.40647

Details

Cross Site Request Forgery in kindeditor Cross Site Request Forgery (CSRF) vulnerability exists in KindEditor 4.1.x. First, you upload an html file containing csrf on the website that uses a google editor, (you only need to search in google: inurl:/examples/uploadbutton.html) and then use the authority of this website to trick users into clicking your malicious html link.

Metadata

Created: 2021-10-18T19:44:06Z
Modified: 2021-10-21T14:56:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-3ww4-cp53-6g2x/GHSA-3ww4-cp53-6g2x.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-3ww4-cp53-6g2x
Finding: F007
Auto approve: 1