HTML tags in entity names in the tree view are not sanitised in quickentity-editor-next

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in quickentity-editor-next versions prior to 1.28.1. The application fails to sanitize HTML tags in entity names displayed in the tree view, allowing arbitrary script execution within the browser sandbox. The issue is triggered simply by loading a file that contains a script tag in any entity name. The fix, implemented in commit 5303b45a20a6e4e9318729b8dd7bbf09b37b369d [1], adds a sanitise() function call for entity names and sets force_text: true in the tree view configuration [1].

Exploitation

An attacker can craft a malicious JSON file containing entity names with embedded HTML tags, such as ``. When a victim opens this file in quickentity-editor-next, the unsanitized entity name is rendered in the tree view, and the script executes within the browser's security context [2]. No authentication or special privileges are required beyond the ability to provide a crafted file to a user of the application.

Impact

Successful exploitation allows arbitrary code execution within the browser sandbox, potentially leading to data theft, session hijacking, or further compromise of the user's local assets managed by the editor. The attack can occur simply from opening a crafted file, with no user interaction beyond loading the asset [2]. The impact is limited to the browser environment and does not extend to the underlying operating system.

Mitigation

The vulnerability is patched in version 1.28.1 of quickentity-editor-next [2]. Users should upgrade to this version immediately. No workarounds exist; the only mitigation is updating the application [2]. The repository was archived on July 15, 2024, and is no longer actively maintained.