CVE-2021-4103

Name of the Vulnerable Software and Affected Versions vditor versions prior to 1.0.34

Description The issue is related to Cross-site Scripting (XSS) - Stored, where vditor does not filter user input in SVG events, leading to XSS. This can be exploited using malicious SVG code, such as an animate tag with an onbegin attribute set to execute arbitrary JavaScript, for example: <svg><animate onbegin=alert(11) attributeName=x dur=1s>.

Recommendations For versions prior to 1.0.34, update to version 1.0.34 or later to resolve the issue. As a temporary workaround, consider disabling the use of SVG events in vditor until a patch is available. Restrict access to the vditor module to minimize the risk of exploitation. Avoid using unfiltered user input in SVG events until the issue is resolved.