CVE-2018-13339

Vulnerability

Angular Redactor 1.1.6, when used with Imperavi Redactor 3 in HTML content mode, contains a stored cross-site scripting (XSS) vulnerability [1][2]. The issue allows an attacker to inject arbitrary HTML, such as an `` payload, which is stored and executed when the content is rendered [2][4]. This is related to CVE-2018-7035 [1]. The vulnerable versions are those using Redactor 3 with Angular Redactor 1.1.6 [1][3].

Exploitation

An attacker requires the ability to edit content in the HTML mode of the affected editor [2][4]. The attack can be performed without authentication if the editor is publicly accessible, or with low-privilege access otherwise. The steps are: 1) Open the Redactor 3 editor in HTML content mode, 2) Insert a payload, e.g., ``, into the HTML source, 3) Save the content [4]. The payload executes whenever a victim views the saved content [2].

Impact

Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser [2][4]. This can result in session hijacking, defacement, or redirection to malicious sites. The impact is limited to the application's domain and the privileges of the victim user.

Mitigation

No official patch or fix has been released for Angular Redactor 1.1.6 [3]. Users are advised to avoid using HTML content mode in untrusted environments or to manually sanitize user input before storing or displaying content [2][4]. The vendor (Imperavi) may have addressed the issue in later versions of Redactor, but this is not confirmed for the Angular integration [1]. The CVE is not listed in the known exploited vulnerabilities (KEV) catalog.