Hieroshima

**Name of the Vulnerable Software and Affected Versions** Slab Quill version 4.8.0 **Description** A vulnerability in the HTML editor of Slab Quill allows an attacker to execute arbitrary JavaScript by storing an XSS payload, specifically a crafted `onloadstart` attribute of an IMG element, in a text field. Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser. **Recommendations** For Slab Quill version 4.8.0, as a temporary workaround, consider disabling the use of the `onloadstart` attribute in the HTML editor until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.