Coordinated Disclosure Timeline
- 2021-09-15: Report sent to email@example.com
- 2021-09-15: Email was not delivery since the provided address does not exist
- 2021-09-15: Requested security contact publicly
- 2021-09-15: Issue turns to be a collision with a recently reported issue
- 2021-09-23: Issue is fixed
Copy-paste XSS in jSuites editor
Issue: Copy-paste XSS in jSuites (
The jSuites editor is vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor.
Proof of concept (tested on Chrome):
- Open this page: cdn.sekurak.pl/copy-paste/playground.html
- Paste the following code into “HTML Input”
<div class="MsoNormal">foobar<img src="foo" onload="alert(1)" onerror="alert(2)"/></div>
- Click “Copy as HTML”
- Open http://jsuites.net/v4/text-editor/basic
- Paste into the text editor.
This issue may lead to XSS with user interaction
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2021-1002 in any communication regarding this issue.