XSS Vulnerability Report: Discovering XSS Vulnerability through Data Schema Manipulation

[EunhoKim98]

Checklist

• I've looked at the documentation to make sure the behavior isn't documented and expected.
• I'm sure this is an issue with Summernote, not with my app or other dependencies (Angular, Cordova, React, etc.).
• I've searched through the current issues to make sure this hasn't been reported yet.
• My issue is pertinent to this repository of Summernote (jQuery), or I was unable to have my issue resolved from the relevant version I'm using, such as Angular, dJango, Rails or React. Please try your issue at the relevent repository first.
• I understand that issues without interaction for more than 14 days (2 weeks), may be closed at our discretion. We do this, as sometimes issues are abandoned. We may at our discretion, add issues to the relevant project to be looked at, or for maintainers to work through as time permits. This is to help keep issues relevant to the current version of Summernote, and to reduce clutter.
• I agree to follow the Code of Conduct that this project adheres to.

Steps to reproduce

Step1. Click on the "Insert Image" button within the Summernote functionality.

Step2. Select an arbitrary image and insert it.

Step3. Click on the "Code View" button.

Step4. Attempt an XSS attack by manipulating the code of the inserted image.
<iframe src="data:text/html;base64,PGltZyBzcmM9MSBvbmVycm9yPXdpbmRvdy5vcGVuKCdodHRwczovL3d3dy5nb29nbGUuY29tJyk+">


Step5. Confirm that the Base64-encoded XSS attack code is indeed stored and operational, demonstrating its functionality.

Expected behavior

[Expected behavior]

I expected that upon following the outlined steps, the Summernote functionality would insert the selected image as intended. Additionally, I anticipated that the Code View feature would allow for the manipulation of the inserted image's code. However, I did not expect the system to accept and execute the Base64-encoded XSS attack code, as this would indicate a vulnerability in the application's security measures.

Current behavior

[Current behavior]

After following the specified steps, the Summernote functionality successfully inserts the selected image into the editor. When switching to Code View and attempting to manipulate the code of the inserted image with Base64-encoded XSS attack code, the application does not prevent the insertion or execution of the malicious code. This behavior was observed in version 0.8.18 during my demonstration. Furthermore, similar findings were confirmed in a different environment running version 0.8.20, indicating that the vulnerability persists across multiple versions. This poses a serious security risk as it allows for potential exploitation of cross-site scripting vulnerabilities.

2024-05-09.23.35.24.mp4

Minimal example reproducing the issue

<iframe src="data:text/html;base64,PGltZyBzcmM9MSBvbmVycm9yPXdpbmRvdy5vcGVuKCdodHRwczovL3d3dy5nb29nbGUuY29tJyk+">

Environment

• Summernote version: 0.8.20
• Browser (with version): Chrome 124.0.6367.119
• OS/Platform (with version): Windows 11 laptop

[EunhoKim98]

The hacking demonstration is version 0.8.18, but I also succeeded in that attack in version 0.8.20.

[filtering code]
function filterHtmlSchema(data) {
return data.filter(item => {
const schema = item.schema;
return !schema || !schema.hasOwnProperty("text/html");
});
}

[HoffmannTom]

I think the html code should be cleaned and filtered on the server side.
I use jsoup in java with a whitelist for this purpose.
For PHP there are similar extensions and libraries.

For your example, you could also use F12 and inject an alert without any summernote.
The attack should not be reflected but of course you can inject anything in your browser by yourself.