M. Tomaselli

**Name of the Vulnerable Software and Affected Versions** Progress Kendo UI Editor version 2018.1.221 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor due to the `editorNS.Serializer` to `toEditableHtml` function in `kendo.all.min.js`. When a victim accesses the editor, the payload is executed. If the payload is reflected in other resources relying on the editor's sanitization, the JavaScript payload is executed in the application's context, potentially allowing attackers to take over user sessions. **Recommendations** For Progress Kendo UI Editor version 2018.1.221, consider disabling the `toEditableHtml` function in `kendo.all.min.js` as a temporary workaround until a patch is available. Restrict access to the WYSIWYG editor to minimize the risk of exploitation.