CVE-2018-14037

Name of the Vulnerable Software and Affected Versions Progress Kendo UI Editor version 2018.1.221

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor due to the editorNS.Serializer to toEditableHtml function in kendo.all.min.js. When a victim accesses the editor, the payload is executed. If the payload is reflected in other resources relying on the editor's sanitization, the JavaScript payload is executed in the application's context, potentially allowing attackers to take over user sessions.

Recommendations For Progress Kendo UI Editor version 2018.1.221, consider disabling the toEditableHtml function in kendo.all.min.js as a temporary workaround until a patch is available. Restrict access to the WYSIWYG editor to minimize the risk of exploitation.