Skip to content
This repository has been archived by the owner on Jan 9, 2024. It is now read-only.

There is a csrf vulnerability in kindeditor - 4.1.* #337

Open
cyber-word opened this issue Oct 14, 2021 · 0 comments
Open

There is a csrf vulnerability in kindeditor - 4.1.* #337

cyber-word opened this issue Oct 14, 2021 · 0 comments

Comments

@cyber-word
Copy link

[Suggested description]
Cross Site Request Forgery (CSRF) vulnerability exists in KindEdirot
4.1.x. First, you upload an html file containing csrf on the website
that uses a google editor, (you only need to search in google:
inurl:/examples/uploadbutton.html) and then use the authority of this
website to trick users into clicking your malicious html link.

[Vulnerability Type]
Cross Site Request Forgery (CSRF)

[Vendor of Product]
https://github.com/kindsoft/kindeditor

[Affected Product Code Base]
kindeditor - 4.1.*

[Affected Component]
To find a website that uses this editor, you only need to search in google: inurl:/examples/uploadbutton.html
Because this is the feature file of this editor

[Attack Type]
Remote

[Impact Code execution]
true

Attackers can use websites trusted by users to perform dangerous operations

[Attack Vectors]

<title>csrf test</title> // your target url
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cyber-word