Do you have a rich text editor in your website? Check it for attribute-based XSS.

11 views

Skip to first unread message

G. S. McNamara

unread,

Sep 26, 2014, 8:41:58 PM9/26/14

to owasp...@googlegroups.com

Hello OWASP,

If you are responsible for a website that has a WYSIWYG / rich text / HTML editor, please check it for attribute-based cross-site scripting (XSS). This is XSS without script tags. I just disclosed the following regarding the RadEditor by Telerik.

CVE-2014-4958: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4958

Full description of issue with example code: http://maverickblogging.com/disclosing-cve-2014-4958-stored-attribute-based-cross-site-scripting-xss-vulnerability-in-telerik-ui-for-asp-net-ajax-radeditor-control/

Feel free to drop me hints of more products to look into! Email me privately with any questions/concerns.

Thanks!

G. S. McNamara

+1 (202) 507-9703 | Washington, D.C. | Linkedin | Twitter | Read about me in the news

Reply all

Reply to author

Forward

0 new messages