CVE-2023-26149

Name of the Vulnerable Software and Affected Versions quill-mention versions prior to 4.0.0

Description The issue is related to improper user-input sanitization, which can lead to Cross-site Scripting (XSS) attacks. This occurs via the renderList function. If the mentions list is sourced from unsafe (user-sourced) data, it might allow an injection attack when a Quill user hits @.

Recommendations For versions prior to 4.0.0, update to version 4.0.0 or later to resolve the issue. As a temporary workaround, consider disabling the renderList function until a patch is available. Restrict access to user-sourced data to minimize the risk of exploitation. Avoid using unsafe data sources for the mentions list until the issue is resolved.