CVE-2018-16330

Vulnerability

Pandao Editor.md version 1.5.0, an embeddable online Markdown editor, allows stored cross-site scripting (XSS) via crafted attributes of an invalid IMG element. The editor does not properly filter or escape attributes such as src, alt, onerror, or other event handlers in ` tags [1][4]. When a user submits content containing a malformed ` tag with malicious attributes, the unsanitized input is rendered as HTML in the preview area, leading to script execution [3]. Affected versions include 1.5.0 [2][3].

Exploitation

An attacker with the ability to submit or edit Markdown content in the Editor.md component can exploit this vulnerability. No authentication or special privileges are required if the editor is publicly accessible (e.g., in a comment form or content management system). The attacker crafts an ` tag with attributes such as /id="confirm(/xss/)"/alt="/"src="/"onerror=eval(id) [4]. When the victim views the rendered output (e.g., in a browser), the onerror` event triggers JavaScript execution. Interaction from the victim (e.g., viewing the preview or published page) is the only user action required [3][4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. The impact includes theft of session cookies, page redirection, defacement, keystroke logging, or forced actions on behalf of the victim. If the editor is used in a content management system, an attacker could potentially gain administrative privileges by stealing the admin session token [3][4]. The CIA outcome is compromise of confidentiality (data theft), integrity (content manipulation), and availability (malicious actions).

Mitigation

As of the disclosed references, no official patch has been released for Editor.md 1.5.0 [2][3]. Users are advised to upgrade to a forked or patched version if available, or to implement a server-side HTML sanitizer (e.g., DOMPurify or OWASP Java HTML Sanitizer) that strips dangerous tags and attributes before rendering Markdown output. Disabling the Markdown-to-HTML preview feature may also reduce risk. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of February 2025.