CVE-2023-46252

Name of the Vulnerable Software and Affected Versions Squidex (affected versions not specified)

Description The issue concerns a Cross-Site Scripting (XSS) vulnerability due to missing origin verification in a postMessage handler. This affects the editor-sdk.js file, which defines class-like functions such as SquidexSidebar, SquidexWidget, and SquidexFormField. These functions employ a global message event listener that takes action based on the received message type. For instance, the SquidexFormField updates its value property when it receives a message with the type 'valueChanged'. This class is used in the editor-editorjs.html file, accessible via the public wwwroot folder, where it registers a callback function using the onValueChanged method. This method passes the value from the message event to the editor.render, introducing an XSS vulnerability if an attacker-controlled value is passed.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.