GHSL-2022-028: Copy/paste cross-site scripting (XSS) in codex-team

Coordinated Disclosure Timeline

• 2022-05-12: Report sent to team@codex.so
• 2022-06-12: Reminder sent to team@codex.so and peter@codex.so
• 2022-10-10: Reminder sent to team@codex.so and peter@codex.so
• 2022-10-14: Extended deadline since the fix is being addressed
• 2022-11-21: Fix merged

Summary

codex-team/editor.js is vulnerable to XSS attacks when copy/pasting specially crafted input into the editor.

Product

Editor.js

Tested Version

2.24.2

Details

Issue: XSS copy/pasting HTML in the editor (GHSL-2022-028)

The processHTML method is passing pasted input into wrapper’s innerHTML.

PoC:

1. Open https://cdn.sekurak.pl/copy-paste/playground.html in your browser, enter <img src='foo' onerror='alert(123)'/> in the HTML Input box.
2. Click Copy as HTML.
3. Open https://editorjs.io/ in your browser.
4. Paste the content you copied in [2] into the editor.
5. JavaScript: alert(123) is executed.

Impact

This issue may lead to XSS in all projects that depend on editor.js, such as webiny/webiny-js, frappe/frappe, and Jungwoo-An/react-editor-js.

CVE

• CVE-2022-23474

Credit

This issue was discovered by CodeQL team members @kaeluka (Stephan Brandauer) and @erik-krogh (Erik Krogh Kristensen), using a CodeQL query originally contributed by community member @bananabr (Daniel Santos).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-028 in any communication regarding this issue.

GitHub Security Advisories

We recommend you create a private GitHub Security Advisory for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are published.