Versions of status-board
prior to 10.0.1 are vulnerable to Cross-Site Scripting. The _createPreviewButton()
function fails to sanitize the href
attribute of a created <a>
tag. This may allow attackers to execute arbitrary JavaScript in a victim’s browser.
Upgrade to version 10.0.1 or later.
CPE | Name | Operator | Version |
---|---|---|---|
@ckeditor/ckeditor5-link | lt | 10.0.1 | |
@ckeditor/ckeditor5-link | ge | 0.3.0 |
ckeditor.com/blog/CKEditor-5-v10.0.1-released
github.com/advisories/GHSA-gvpx-9459-w3mj
github.com/ckeditor/ckeditor5-link
github.com/ckeditor/ckeditor5-link/blob/master/CHANGELOG.md#1001-2018-05-22
github.com/ckeditor/ckeditor5-link/commit/8cb782eceba10fc481e4021cb5d25b2a85d1b04e
nvd.nist.gov/vuln/detail/CVE-2018-11093
snyk.io/vuln/SNYK-JS-CKEDITORCKEDITOR5LINK-72892
www.npmjs.com/advisories/1154