CVE-2023-26149 - Vulnerability Details - OpenCVE

Versions of the package quill-mention before 4.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization, via the renderList function.

**Note:**

If the mentions list is sourced from unsafe (user-sourced) data, this might allow an injection attack when a Quill user hits @.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01237.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Quill-mention	Quill Mention

Configuration 1 [-]

cpe:2.3:a:quill-mention:quill_mention:*:*:*:*:*:node.js:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2536	Versions of the package quill-mention before 4.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization, via the renderList function. Note: If the mentions list is sourced from unsafe (user-sourced) data, this might allow an injection attack when a Quill user hits @.
Github GHSA	GHSA-jgw5-rp4p-qhp6	quill-mention Cross-site Scripting vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://codepen.io/ALiangLiang/pen/mdQMJXK
https://github.com/quill-mention/quill-mention/blob/0aa9847719257496b14ac5401872c4e2ffcbc3d1/src/quill.mention.js%23L391
https://github.com/quill-mention/quill-mention/commit/e85262ddced0a7f0b6fc8350d236a68bd1e28385
https://github.com/quill-mention/quill-mention/issues/255
https://github.com/quill-mention/quill-mention/pull/341
https://security.snyk.io/vuln/SNYK-JS-QUILLMENTION-5921549

History

Mon, 23 Sep 2024 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2023-09-28T05:00:02.741Z

Updated: 2024-09-23T19:01:41.735Z

Reserved: 2023-02-20T10:28:48.929Z

Link: CVE-2023-26149

Vulnrichment

Updated: 2024-08-02T11:39:06.638Z

NVD

Status : Modified

Published: 2023-09-28T05:15:46.023

Modified: 2024-11-21T07:50:52.863

Link: CVE-2023-26149

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26149", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-02-20T10:28:48.929Z", "datePublished": "2023-09-28T05:00:02.741Z", "dateUpdated": "2024-09-23T19:01:41.735Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P"}}], "credits": [{"value": "Teodor Atroshenk", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (XSS)", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-09-28T05:00:02.741Z"}, "descriptions": [{"value": "Versions of the package quill-mention before 4.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization, via the renderList function. \r\r**Note:**\r\rIf the mentions list is sourced from unsafe (user-sourced) data, this might allow an injection attack when a Quill user hits @.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-QUILLMENTION-5921549"}, {"url": "https://github.com/quill-mention/quill-mention/blob/0aa9847719257496b14ac5401872c4e2ffcbc3d1/src/quill.mention.js%23L391"}, {"url": "https://codepen.io/ALiangLiang/pen/mdQMJXK"}, {"url": "https://github.com/quill-mention/quill-mention/issues/255"}, {"url": "https://github.com/quill-mention/quill-mention/pull/341"}, {"url": "https://github.com/quill-mention/quill-mention/commit/e85262ddced0a7f0b6fc8350d236a68bd1e28385"}], "affected": [{"product": "quill-mention", "versions": [{"version": "0", "lessThan": "4.0.0", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.638Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-QUILLMENTION-5921549", "tags": ["x_transferred"]}, {"url": "https://github.com/quill-mention/quill-mention/blob/0aa9847719257496b14ac5401872c4e2ffcbc3d1/src/quill.mention.js%23L391", "tags": ["x_transferred"]}, {"url": "https://codepen.io/ALiangLiang/pen/mdQMJXK", "tags": ["x_transferred"]}, {"url": "https://github.com/quill-mention/quill-mention/issues/255", "tags": ["x_transferred"]}, {"url": "https://github.com/quill-mention/quill-mention/pull/341", "tags": ["x_transferred"]}, {"url": "https://github.com/quill-mention/quill-mention/commit/e85262ddced0a7f0b6fc8350d236a68bd1e28385", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T19:01:30.411379Z", "id": "CVE-2023-26149", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T19:01:41.735Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-QUILLMENTION-5921549", "tags": ["x_transferred"]}, {"url": "https://github.com/quill-mention/quill-mention/blob/0aa9847719257496b14ac5401872c4e2ffcbc3d1/src/quill.mention.js%23L391", "tags": ["x_transferred"]}, {"url": "https://codepen.io/ALiangLiang/pen/mdQMJXK", "tags": ["x_transferred"]}, {"url": "https://github.com/quill-mention/quill-mention/issues/255", "tags": ["x_transferred"]}, {"url": "https://github.com/quill-mention/quill-mention/pull/341", "tags": ["x_transferred"]}, {"url": "https://github.com/quill-mention/quill-mention/commit/e85262ddced0a7f0b6fc8350d236a68bd1e28385", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.638Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-26149", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-23T19:01:30.411379Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T19:01:37.250Z"}}], "cna": {"credits": [{"lang": "en", "value": "Teodor Atroshenk"}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "quill-mention", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0.0", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-QUILLMENTION-5921549"}, {"url": "https://github.com/quill-mention/quill-mention/blob/0aa9847719257496b14ac5401872c4e2ffcbc3d1/src/quill.mention.js%23L391"}, {"url": "https://codepen.io/ALiangLiang/pen/mdQMJXK"}, {"url": "https://github.com/quill-mention/quill-mention/issues/255"}, {"url": "https://github.com/quill-mention/quill-mention/pull/341"}, {"url": "https://github.com/quill-mention/quill-mention/commit/e85262ddced0a7f0b6fc8350d236a68bd1e28385"}], "descriptions": [{"lang": "en", "value": "Versions of the package quill-mention before 4.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization, via the renderList function. \r\r**Note:**\r\rIf the mentions list is sourced from unsafe (user-sourced) data, this might allow an injection attack when a Quill user hits @."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "Cross-site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-09-28T05:00:02.741Z"}}}, "cveMetadata": {"cveId": "CVE-2023-26149", "state": "PUBLISHED", "dateUpdated": "2024-09-23T19:01:41.735Z", "dateReserved": "2023-02-20T10:28:48.929Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2023-09-28T05:00:02.741Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quill-mention:quill_mention:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FB0D0A07-8B68-4670-A50F-E1E9F45557BA", "versionEndExcluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package quill-mention before 4.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization, via the renderList function. \r\r**Note:**\r\rIf the mentions list is sourced from unsafe (user-sourced) data, this might allow an injection attack when a Quill user hits @."}, {"lang": "es", "value": "Las versiones del paquete quill-mention anteriores a 4.0.0 son vulnerables a Cross-site Scripting (XSS) debido a una incorrecta sanitizaci\u00f3n de la entrada del usuario, a trav\u00e9s de la funci\u00f3n renderList. **Nota:** Si la lista de menciones proviene de datos no seguros (procedentes del usuario), esto podr\u00eda permitir un ataque de inyecci\u00f3n cuando un usuario de Quill presiona @."}], "id": "CVE-2023-26149", "lastModified": "2024-11-21T07:50:52.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-28T05:15:46.023", "references": [{"source": "report@snyk.io", "tags": ["Exploit"], "url": "https://codepen.io/ALiangLiang/pen/mdQMJXK"}, {"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/quill-mention/quill-mention/blob/0aa9847719257496b14ac5401872c4e2ffcbc3d1/src/quill.mention.js%23L391"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/quill-mention/quill-mention/commit/e85262ddced0a7f0b6fc8350d236a68bd1e28385"}, {"source": "report@snyk.io", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/quill-mention/quill-mention/issues/255"}, {"source": "report@snyk.io", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/quill-mention/quill-mention/pull/341"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-QUILLMENTION-5921549"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://codepen.io/ALiangLiang/pen/mdQMJXK"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://github.com/quill-mention/quill-mention/blob/0aa9847719257496b14ac5401872c4e2ffcbc3d1/src/quill.mention.js%23L391"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/quill-mention/quill-mention/commit/e85262ddced0a7f0b6fc8350d236a68bd1e28385"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/quill-mention/quill-mention/issues/255"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/quill-mention/quill-mention/pull/341"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-QUILLMENTION-5921549"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "report@snyk.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}