CVE-2021-42228

Name of the Vulnerable Software and Affected Versions KindEditor version 4.1.x

Description A Cross Site Request Forgery (CSRF) issue exists, allowing attackers to trick users into clicking malicious links by uploading an HTML file containing CSRF code on a website using the editor. This can be done by first uploading the malicious file, then using the authority of the website to deceive users into clicking the link. The estimated number of potentially affected devices worldwide is not specified.

Recommendations For KindEditor version 4.1.x, as a temporary workaround, consider restricting access to the examples/uploadbutton.html endpoint until a patch is available. Avoid using the editor to upload HTML files containing potentially malicious code. At the moment, there is no information about a newer version that contains a fix for this vulnerability.