Vulnerability Description
Cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor because of the editorNS.Serializer toEditableHtml function in kendo.all.min.js. If the victim accesses the editor, the payload gets executed. Furthermore, if the payload is reflected at any other resource that does rely on the sanitisation of the editor itself, the JavaScript payload will be executed in the context of the application. This allows attackers (in the worst case) to take over user sessions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Progress | Kendo Ui | 2018.1.221 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2018/Sep/49Mailing ListThird Party Advisory
- http://seclists.org/fulldisclosure/2018/Sep/50Mailing ListThird Party Advisory
- https://www.sec-consult.com/en/blog/advisories/stored-cross-site-scripting-in-keExploitTechnical DescriptionThird Party Advisory
- http://seclists.org/fulldisclosure/2018/Sep/49Mailing ListThird Party Advisory
- http://seclists.org/fulldisclosure/2018/Sep/50Mailing ListThird Party Advisory
- https://www.sec-consult.com/en/blog/advisories/stored-cross-site-scripting-in-keExploitTechnical DescriptionThird Party Advisory
FAQ
What is CVE-2018-14037?
CVE-2018-14037 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor because of the editorNS.Seria...
How severe is CVE-2018-14037?
CVE-2018-14037 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-14037?
Check the references section above for vendor advisories and patch information. Affected products include: Progress Kendo Ui.