GHSL-2021-1002: Copy-paste XSS in jSuites editor - CVE-2021-41086

Coordinated Disclosure Timeline

• 2021-09-15: Report sent to contact@jsuites.net
• 2021-09-15: Email was not delivery since the provided address does not exist
• 2021-09-15: Requested security contact publicly
• 2021-09-15: Issue turns to be a collision with a recently reported issue
• 2021-09-23: Issue is fixed

Summary

Copy-paste XSS in jSuites editor

Product

jSuites

Tested Version

v4.4.2

Details

Issue: Copy-paste XSS in jSuites (GHSL-2021-1002)

The jSuites editor is vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor.

Proof of concept (tested on Chrome):

• Open this page: cdn.sekurak.pl/copy-paste/playground.html
• Paste the following code into “HTML Input”

    <div class="MsoNormal">foobar<img src="foo" onload="alert(1)" onerror="alert(2)"/></div>
  

• Click “Copy as HTML”
• Open http://jsuites.net/v4/text-editor/basic
• Paste into the text editor.

Note: This issue was found using the following CodeQL query

Impact

This issue may lead to XSS with user interaction

CVE

• CVE-2021-41086

Credit

This issue was discovered by GHSL team member @erik-krogh (Erik Kristensen) using the CodeQL query contributed by @bananabr (Daniel Santos).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1002 in any communication regarding this issue.