Headline
CVE-2022-4902: Task-56304 : XSS issue in chat · exoplatform/chat-application@26bf307
A vulnerability classified as problematic has been found in eXo Chat Application. Affected is an unknown function of the file application/src/main/webapp/vue-app/components/ExoChatMessageComposer.vue of the component Mention Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 3.3.0-20220417 is able to address this issue. The name of the patch is 26bf307d3658d1403cfd5c3ad423ce4c4d1cb2dc. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-220212.
@@ -340,6 +340,7 @@ export default { checkMention(message) { message = $(‘<div />’).html(message).text(); message = message.replace(/\s\s+/g, ' '); message = this.encodeHTMLEntities(message); for (let i = 0; i < this.participants.length; i++) { if (message.includes(`@${this.participants[i].fullname}`) ){ this.mentionedUsers.push(this.participants[i].name); @@ -352,6 +353,11 @@ export default { this.mentionedUsers = []; return message; }, encodeHTMLEntities(text) { const textArea = document.createElement(‘p’); textArea.innerText = text; return textArea.innerHTML; }, paste(e) { // consider the first item (can be easily extended for multiple items) const item = e.clipboardData.items[0]; @@ -367,11 +373,11 @@ export default { // cancel paste e.preventDefault(); // get text representation of clipboard this.text = (e.originalEvent || e).clipboardData.getData(‘text/plain’); this.text = this.encodeHTMLEntities((e.originalEvent || e).clipboardData.getData(‘text/plain’)); // insert text manually $(this.$refs.messageComposerArea).insertAtCaret(this.text); } }, } }; </script> </script>