Redactor JS 3 XSS

This repository documents the vulnerability details and exploit for Redactror JS 3 and prior versions.

Metrics

• CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
• CVSS: 6.1 (MEDIUM)

Vulnerability Overview

This Proof of Concept (POC) demonstrates the exploitation of an XSS vulnerability discovered by me recently in the Redactror JS WYSIWYG editor, which affects all versions of Redactor JS 3 and its prior versions. The flaw allows JavaScript execution by embedding a <script> tag inside a <figure> tag within the editor, which the library fails to sanitize.

Prerequisites

1. Redactor JS (version <= 3.*.*): https://github.com/7Ragnarok7/Redactor-JS-3-XSS/tree/main/docs/redactor3/

Reproduction Steps

This vulnerability can be tested using the pre-configured Redactor JS 3 instance present here.

1. Switch to Source/HTML mode and insert Payload:
   • Open the Redactor JS instance and click on the “HTML” icon.

   • Insert the following payload in the text area:

     <figure><script>alert`XSS Found`</script></figure>
     

     

     

2. Switch to WYSIWYG Mode:
   • Click on the “HTML” icon again to switch back to the WYSIWYG mode.

   • Observe the XSS payload getting triggered.

     

Advisory

Important Links

• https://imperavi.com/redactor/
• https://imperavi.com/redactor/examples/initialization/base-example/
• https://7ragnarok7.github.io/Redactor-JS-3-XSS/
• https://7ragnarok7.github.io/Redactor-JS-4-XSS/