CVE-2018-6464

Vulnerability

Simditor v2.3.11 is vulnerable to cross-site scripting (XSS) due to improper sanitization of user input within a TEXTAREA element. An attacker can inject JavaScript by crafting an SVG element with an onload event handler, e.g., <svg/onload=alert(1)>. This is demonstrated in Firefox 54.0.1 [1][2].

Exploitation

The attacker requires the ability to input data into a TEXTAREA processed by Simditor. No authentication or special network position is needed if the editor is exposed to untrusted users. The attacker simply submits the crafted payload via the editor's interface [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information [1].

Mitigation

No fix has been released by the vendor as of January 2018. Users should upgrade to a patched version if available or implement a content security policy (CSP) that restricts inline script execution. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.