CVE-2020-19697

Vulnerability

Overview

CVE-2020-19697 describes a Cross-Site Scripting (XSS) vulnerability in Pandao Editor.md version 1.5.0. The flaw resides in the editor's handling of the ` element's src attribute, which fails to sanitize user-supplied input properly [1][2]. An attacker can inject a malicious javascript: URI into the src` attribute, leading to arbitrary JavaScript execution within the context of the user's browser session.

Attack

Vector and Prerequisites

To exploit this vulnerability, an attacker only needs to craft a payload inside the Markdown editor, such as ` [4]. The attack does not require authentication; any user who views the rendered Markdown content containing the malicious iframe will execute the injected script. The vulnerability is triggered during the conversion of Markdown to HTML, where the editormd.markdownToHTML()` function does not filter dangerous HTML tags or attributes by default [1].

Impact

Successful exploitation allows a remote attacker to execute arbitrary JavaScript in the victim's browser [2]. This can lead to session hijacking, cookie theft, defacement, or other client-side attacks. The impact is broad across any application that embeds or uses the vulnerable Editor.md library to render user-controlled Markdown content.

Mitigation

Status

As of the latest references, a fix has been proposed in pull request #860 [3], which disables script and event attributes by default, introducing explicit allowScript and allowOn options. Users are advised to update to a patched version or apply the provided patch. The issue was reported in 2020 and appears to have a merged fix in the repository, though the maintainer's responsiveness may vary [2][3].