logo

Database

Reflected cross-site scripting (XSS) In @ckeditor/ckeditor5-link

Description

Cross-Site Scripting in @ckeditor/ckeditor5-link Versions of status-board prior to 10.0.1 are vulnerable to Cross-Site Scripting. The _createPreviewButton() function fails to sanitize the href attribute of a created <a> tag. This may allow attackers to execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 10.0.1 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2018-110932. NVD-2018-110933. OSV-2018-110934. GHSA-gvpx-9459-w3mj5. GCVE-2018-11093

References

1. https://github.com/ckeditor/ckeditor5-link/commit/8cb782eceba10fc481e4021cb5d25b2a85d1b04e2. https://ckeditor.com/blog/CKEditor-5-v10.0.1-released3. https://github.com/ckeditor/ckeditor5-link/blob/master/CHANGELOG.md#1001-2018-05-224. https://www.npmjs.com/advisories/1154

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.