CVE-2023-29641

Root

Cause CVE-2023-29641 describes a stored cross-site scripting (XSS) vulnerability in the pandao/editor.md open-source Markdown editor, affecting all versions through 1.5.0. The core issue is the absence of input sanitization on Markdown text; the library passes user-supplied content directly to the HTML rendering pipeline without stripping dangerous HTML tags or script attributes [1][3].

Exploitation

Method An attacker can inject arbitrary web script or HTML by embedding payloads inside Markdown constructs, such as an image tag with an onerror handler (e.g., ![](x'onerror=alert(1))). Because Editor.md processes the Markdown client-side via CodeMirror and the Marked library, any crafted text entered in the editor or submitted via the editormd.markdownToHTML() function will be rendered unsafely [2]. Exploitation requires no authentication when the editor is exposed to untrusted users (e.g., in public comment forms or collaborative editing).

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser session, leading to session hijacking, defacement, theft of sensitive data, or phishing within the application's origin. The vulnerability is classified with CVSS 6.1 (Medium severity) due to the need for user interaction (viewing the rendered content) and the lack of a direct network-based attack vector [2].

Mitigation

The project's repository indicates the issue has been reported via GitHub issue #985; however, as of the disclosure date, the maintainer has not released a patched version [3]. Users must implement a workaround by sanitizing all Markdown input server-side before passing it to Editor.md, for example by stripping event-handler attributes and dangerous tags (`, `, etc.). Alternatively, migrating to a maintained fork or alternative Markdown editor is recommended.