Coordinated Disclosure Timeline
- 2022/05/12: Report sent to email@example.com
- 2022/05/12: Maintainer replies vulnerability is no longer reproducible, they created custom sanitization functions
- 2022/05/13: Bypass sent to maintainer
- 2022/06/12: Asked for status update to maintainer
- 2022/08/10: Deadline expired
- 2022/09/06: CVE-2022-23461 assigned
Jodit Editor 3 is vulnerable to XSS attacks when pasting specially constructed input.
Jodit Editor 3
Issue: XSS in jodit editor (
- Open https://cdn.sekurak.pl/copy-paste/playground.html in your browser, enter the text below in the HTML Input box:
<html> <body> <meta name=Generator content="Microsoft Word 15"> <img src="" onerror="alert(123)" /> </body> </html>
Copy as HTML.
- Go to https://xdsoft.net/jodit/
- Paste the text you copied in .
This issue may lead to XSS in any webpage that uses the editor. Users who copy-paste content from a page controlled by an attacker may be vulnerable.
This issue was discovered by CodeQL team members @kaeluka (Stephan Brandauer) and @erik-krogh (Erik Krogh Kristensen), using a CodeQL query originally contributed by community member @bananabr (Daniel Santos).
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2022-030 in any communication regarding this issue.