| Título | Changsha Developer Technology Co., Ltd. iView Editor <=1.1.1 XSS vulnerability |
|---|
| Descrição | The iView Editor editor has a XSS vulnerability.
The official website has a trial case: https://editor.iviewui.com/
Because Markdown syntax renders hyperlinks and images as <a> and <img> tags on web pages, and these tag attributes are controllable, such as the <a> tag's href attribute, a malicious XSS payload can be inserted to create a vulnerability.
Payload: [Kobe](javascript:alert`666`)
Add it to the content
Click the pop-up window in the preview.
Github project address: https://github.com/iview/iview-editor
Project setup and reproducibility
# Install the latest LTS version
nvm install 22.19.0
# Use this version
nvm use 22.19.0
# Set as the default version (optional)
nvm alias default 22.19.0
# Check the Node.js version
node -v
# Check the npm version
npm -v
# Create a Vue 2 project
npm create vue@2 my-iview-editor-v2
# Then install iview
cd my-iview-editor-v2
npm install iview iview-editor --save
Directory structure as follows
Import iView in main.js
// src/main.js
import Vue from 'vue'
import App from './App.vue'
// Import iView (UI component library)
import iView from 'iview'
import 'iview/dist/styles/iview.css' // iView styles
// Import the iView Editor
import iEditor from 'iview-editor'
import 'iview-editor/dist/iview-editor.css' // Editor styles
Vue.use(iView)
Vue.use(iEditor)
new Vue({
render: h => h(App)
}).$mount('#app')
Use in the page (App.vue)
<!-- src/App.vue -->
<template>
<div id="app">
<i-editor v-model="content"></i-editor>
<h3>Preview (raw markdown):</h3>
<pre>{{ content }}</pre>
</div>
</template>
<script>
export default {
data() {
return {
content: '# Hello iView Editor\n\nThis is the initial content'
}
}
}
</script> |
|---|
| Fonte | ⚠️ https://github.com/duckpigdog/CVE/blob/main/iView%20Editor%20XSS.docx |
|---|
| Utilizador | suc2es2 (UID 90074) |
|---|
| Submissão | 11/09/2025 05h46 (há 8 meses) |
|---|
| Moderação | 25/09/2025 08h07 (14 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 325819 [Changsha Developer Technology iView Editor até 1.1.1 Markdown Script de Site Cruzado] |
|---|
| Pontos | 20 |
|---|