Opened 3 years ago

Closed 3 years ago

#14380 closed Bug (invalid)

XSS Vulnerability bug report

Reported by: Balaji Owned by:
Priority: Normal Milestone:
Component: General Version: 4.5.7
Keywords: Cc:

Description

Steps to reproduce

  1. Go to the Blog link http://ckeditor.com/blog/CKEditor-4.5.7-Released . well you can choose any blog from your website.
  1. Go to the comment box. And type XSS payload as follows:

"/><svg/onload=prompt(1);> in Name and comment box area and store it.

  1. After stored comment you will see the Stored based XSS is popped up.
  1. This is so much risk which stored the malicious code over the website using this editor. Now whoever come to this page those people will become victim of XSS attack, May be attacker can steal User account details or other techniques he use.

Expected result

Actual result

POC = http://prntscr.com/a0762w

Other details (browser, OS, CKEditor version, installed plugins)

Attachments (2)

step 1.png (92.8 KB) - added by Balaji 3 years ago.
step 2.png (48.4 KB) - added by Balaji 3 years ago.

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by Balaji

Attachment: step 1.png added

Changed 3 years ago by Balaji

Attachment: step 2.png added

comment:1 Changed 3 years ago by Wiktor Walc

Resolution: invalid
Status: newclosed

First of all this is not the right place to report security issues. When creating a ticket, there is even a warning shown above the form:

Please do not report security issues here, use the contact form instead.

In any case your report is invalid as the issue had nothing to do with CKEditor. It was an error on the website: the "name" text input where you entered the user name with XSS vector was incorrectly filtered before displaying it on the page. The "name" text input does not have even CKEditor enabled on it.

If you ever again find a security issue and you seriously care about other users: use the contact form, do not post it publicly before we fix the issue, publish a security release and notify users about it.

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy