CVE-2019-14517

Vulnerability

Overview

CVE-2019-14517 is a stored cross-site scripting (XSS) vulnerability in pandao Editor.md version 1.5.0. The root cause is insufficient sanitization of Markdown input, specifically the Javascript: protocol string. An attacker can inject arbitrary JavaScript code that executes in the context of a victim's browser session [1][2].

Exploitation

The vulnerability is triggered when a user views or renders a Markdown document containing a crafted link. The proof-of-concept payload `xss poc) is entered in edit mode; upon rendering, the browser interprets the encoded javascript:` URI and executes the attacker-supplied script. No authentication or special privileges are required beyond the ability to supply content to the Editor.md application [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, leading to potential cookie theft, session hijacking, defacement, or other client-side attacks. Since the script runs in the context of the affected site, the attacker could fully compromise the user's session and data [2].

Mitigation

Status

As of the publication date, the vendor has acknowledged the issue in the project's GitHub repository but no patch was immediately available. Users are advised to implement input validation, output sanitization, and proper escaping of user-supplied content [1][2]. The software should be upgraded to a patched version if one becomes available.