QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2018-14037

Back to search

CVE-2018-14037

Published: Sep 28, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

Cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor because of the editorNS.Serializer toEditableHtml function in kendo.all.min.js. If the victim accesses the editor, the payload gets executed. Furthermore, if the payload is reflected at any other resource that does rely on the sanitisation of the editor itself, the JavaScript payload will be executed in the context of the application. This allows attackers (in the worst case) to take over user sessions.

VendorProductVersions

n/a

n/a

affected
n/a

References

20180926 SEC Consult SA-20180926-0 ::
mailing-list
x_refsource_FULLDISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now