RSS   Vulnerabilities for 'Kendo ui editor'   RSS

2018-09-27
 
CVE-2018-14037

CWE-79
 

 
Cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor because of the editorNS.Serializer toEditableHtml function in kendo.all.min.js. If the victim accesses the editor, the payload gets executed. Furthermore, if the payload is reflected at any other resource that does rely on the sanitisation of the editor itself, the JavaScript payload will be executed in the context of the application. This allows attackers (in the worst case) to take over user sessions.

 

 >>> Vendor: Progress 12 Products
Webspeed
Progress
Database
4gl compiler
Webspeed messenger
Openedge
Sitefinity
Kendo ui editor
Sitefinity cms
Fiddler
Kendo ui
Ipswitch ws ftp server


Copyright 2019, cxsecurity.com

 

Back to Top