CVE-2021-3163 - Vulnerability Details - OpenCVE

A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. Note: Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00496.

Key SSVC decision points have not yet been added.

Vendors	Products
Slab Subscribe	Quill Subscribe

Configuration 1 [-]

cpe:2.3:a:slab:quill:4.8.0:*:*:*:*:node.js:*:*

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-4943-9vgg-gr5r	Cross-site Scripting in quill

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html
https://github.com/quilljs/quill/issues/3273
https://github.com/quilljs/quill/issues/3364
https://quilljs.com

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-04-12T20:35:07

Updated: 2024-08-03T16:45:51.393Z

Reserved: 2021-01-17T00:00:00

Link: CVE-2021-3163

Vulnrichment

Updated: 2024-08-03T16:45:51.393Z

NVD

Status : Modified

Published: 2021-04-12T21:15:14.340

Modified: 2024-11-21T06:21:02.183

Link: CVE-2021-3163

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. Note: Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-25T16:42:19", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://quilljs.com"}, {"tags": ["x_refsource_MISC"], "url": "https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/quilljs/quill/issues/3273"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/quilljs/quill/issues/3364"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-3163", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. Note: Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://quilljs.com", "refsource": "MISC", "url": "https://quilljs.com"}, {"name": "https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html", "refsource": "MISC", "url": "https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html"}, {"name": "https://github.com/quilljs/quill/issues/3273", "refsource": "MISC", "url": "https://github.com/quilljs/quill/issues/3273"}, {"name": "https://github.com/quilljs/quill/issues/3364", "refsource": "MISC", "url": "https://github.com/quilljs/quill/issues/3364"}]}}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-19T18:28:30.323980Z", "id": "CVE-2021-3163", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T18:28:36.966Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T16:45:51.393Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://quilljs.com"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/quilljs/quill/issues/3273"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/quilljs/quill/issues/3364"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-3163", "datePublished": "2021-04-12T20:35:07", "dateReserved": "2021-01-17T00:00:00", "dateUpdated": "2024-08-03T16:45:51.393Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://quilljs.com", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/quilljs/quill/issues/3273", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/quilljs/quill/issues/3364", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T16:45:51.393Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-3163", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-19T18:28:30.323980Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T18:28:33.709Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://quilljs.com", "tags": ["x_refsource_MISC"]}, {"url": "https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/quilljs/quill/issues/3273", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/quilljs/quill/issues/3364", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. Note: Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2021-10-25T16:42:19"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "n/a"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://quilljs.com", "name": "https://quilljs.com", "refsource": "MISC"}, {"url": "https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html", "name": "https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html", "refsource": "MISC"}, {"url": "https://github.com/quilljs/quill/issues/3273", "name": "https://github.com/quilljs/quill/issues/3273", "refsource": "MISC"}, {"url": "https://github.com/quilljs/quill/issues/3364", "name": "https://github.com/quilljs/quill/issues/3364", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. Note: Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-3163", "STATE": "PUBLIC", "ASSIGNER": "cve@mitre.org"}}}}, "cveMetadata": {"cveId": "CVE-2021-3163", "state": "PUBLISHED", "dateUpdated": "2024-08-03T16:45:51.393Z", "dateReserved": "2021-01-17T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2021-04-12T20:35:07", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:slab:quill:4.8.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "AE851EDE-63BD-4A7A-9A1E-7AE5575DDEB0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. Note: Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser"}, {"lang": "es", "value": "** EN DISPUTA ** Una vulnerabilidad en el editor HTML de Slab Quill versi\u00f3n 4.8.0, permite a un atacante ejecutar JavaScript arbitrario almacenando una carga \u00fatil XSS (un atributo onloadstart dise\u00f1ado de un elemento IMG) en un campo de texto. Nota: Los investigadores han afirmado que este problema no est\u00e1 dentro del propio producto, sino que es un comportamiento previsto en un navegador web."}], "id": "CVE-2021-3163", "lastModified": "2024-11-21T06:21:02.183", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-12T21:15:14.340", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/quilljs/quill/issues/3273"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/quilljs/quill/issues/3364"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://quilljs.com"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/quilljs/quill/issues/3273"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/quilljs/quill/issues/3364"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://quilljs.com"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}