CVE-2018-20524

Name of the Vulnerable Software and Affected Versions Chat Anywhere extension version 2.4.0

Description The issue allows for cross-site scripting (XSS) due to the improper handling of crafted messages containing <a> tags. This is because a danmuWrapper DIV element in the chatbox-onlydanmu.js file falls outside the scope of the Content Security Policy (CSP), which is designed to protect against such attacks.

Recommendations For Chat Anywhere extension version 2.4.0, consider disabling the danmuWrapper DIV element in chatbox-onlydanmu.js until a patch is available to prevent potential XSS attacks.