MEDIUM🇵🇱 Wersja polska

CVE-2023-46252

CVSS 6.8v3.1pub. 2023-11-07upd. 2024-11-21

Squidex is an open source headless CMS and content management hub. Affected versions are missing origin verification in a postMessage handler which introduces a Cross-Site Scripting (XSS) vulnerability. The editor-sdk.js file defines three different class-like functions, which employ a global message event listener: SquidexSidebar, SquidexWidget, and SquidexFormField. The registered event listener takes some action based on the type of the received message. For example, when the SquidexFormField receives a message with the type valueChanged, the value property is updated. The SquidexFormField class is for example used in the editor-editorjs.html file, which can be accessed via the public wwwroot folder. It uses the onValueChanged method to register a callback function, which passes the value provided from the message event to the editor.render. Passing an attacker-controlled value to this function introduces a Cross-Site Scripting (XSS) vulnerability.

CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
  • Squidex.io Squidex

    APP
    Squidex.Io
    7.8.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2026-24736CRITICAL9.1PL ✓ten sam produkt

SSRF w Squidex — pełny odczyt odpowiedzi HTTP przez konfigurację Webhooków

CVE-2023-46253CRITICAL9.1ten sam produkt

Squidex is an open source headless CMS and content management hub. Affected versions are subject to an arbitra...

CVE-2023-46857MEDIUM5.4ten sam produkt

Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is...

CVE-2023-46744MEDIUM5.4ten sam produkt

Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Sc...

CVE-2023-3580MEDIUM4.3ten sam produkt

Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0.