Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ5NDMtOXZnZy1ncjVy
Cross-site Scripting in quill
A vulnerability in the HTML editor of Slab Quill allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. No patch exists and no further releases are planned.
This CVE is disputed. Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser. More information can be found here.
Permalink: https://github.com/advisories/GHSA-4943-9vgg-gr5rJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ5NDMtOXZnZy1ncjVy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-4943-9vgg-gr5r, CVE-2021-3163
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3163
- https://github.com/quilljs/quill/issues/3273
- https://github.com/quilljs/quill/issues/3359
- https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html
- https://quilljs.com
- https://github.com/quilljs/quill/issues/3364
- https://github.com/advisories/GHSA-4943-9vgg-gr5r
Blast Radius: 27.8
Affected Packages
npm:quill
Dependent packages: 2,158Dependent repositories: 35,962
Downloads: 5,362,054 last month
Affected Version Ranges: <= 1.3.7
No known fixed version
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.4, 0.1.5, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.19.4, 0.19.5, 0.19.7, 0.19.8, 0.19.10, 0.19.11, 0.19.12, 0.19.14, 0.20.0, 0.20.1, 1.0.0, 1.0.2, 1.0.3, 1.0.4, 1.0.6, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7