Cross-site Scripting (XSS) - Stored in vanessa219/vditor


Reported on

Dec 10th 2021


the editor has XSS vulnerability

Proof of Concept


<svg><animate onbegin=alert(11) attributeName=x dur=1s>

Open the editor, enter the payload, and trigger the XSS vulnerability

demo pic :


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the vanessa219/vditor team within 24 hours. 2 years ago
We have contacted a member of the vanessa219/vditor team and are waiting to hear back 2 years ago
V validated this vulnerability 2 years ago
ning1022 has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago


V marked this as fixed in 1.0.34 with commit 8d4d08 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation