Headline
CVE-2020-19697: XSS vulnerability found via <iframe> src attribute · Issue #701 · pandao/editor.md
Cross Site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script in the <iframe>src parameter.
Test Environment:
Firefox Quantum 67.0.3/Chrome 75.0.3770.100/Safari 12.1.1
Description:
User can use <iframe> src attribute to insert malicious javascript codes, and then execute it.
Reproduce steps
1. go to https://pandao.github.io/editor.md/en.html or any open editor.md apps
2. in the edit mode, input the following malicious codes
<iframe src=javascript://%0aalert(document.cookie)>
Expected Results
No malicious javascript codes should be executed
Actual Results
The malicious codes are executed
Related news
GHSA-w974-rq9x-mh3v: Pandao Editor.md vulnerable to cross-site scripting (XSS) in iframe src parameter
Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script in the `<iframe> src` parameter.