Medium severity6.1OSV Advisory· Published Sep 28, 2018· Updated Jun 17, 2026
CVE-2018-14037
CVE-2018-14037
Description
Cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor because of the editorNS.Serializer toEditableHtml function in kendo.all.min.js. If the victim accesses the editor, the payload gets executed. Furthermore, if the payload is reflected at any other resource that does rely on the sanitisation of the editor itself, the JavaScript payload will be executed in the context of the application. This allows attackers (in the worst case) to take over user sessions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: 2014.2.716, 2014.3.1119, 2014.3.1411, …
- Range: = v2018.1.221
Patches
Vulnerability mechanics
References
3- www.sec-consult.com/en/blog/advisories/stored-cross-site-scripting-in-kendo-ui-editor-cve-2018-14037/nvdExploitTechnical DescriptionThird Party Advisory
- seclists.org/fulldisclosure/2018/Sep/49nvdMailing ListThird Party Advisory
- seclists.org/fulldisclosure/2018/Sep/50nvdMailing ListThird Party Advisory
News mentions
0No linked articles in our index yet.