Description
A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field. Note: Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser
Remediation
References
https://quilljs.com
https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html
https://github.com/quilljs/quill/issues/3273
https://github.com/quilljs/quill/issues/3364
Related Vulnerabilities
CVE-2021-30638 Vulnerability in maven package org.apache.tapestry:tapestry-core
CVE-2020-28496 Vulnerability in maven package org.webjars.npm:three
CVE-2023-33246 Vulnerability in maven package org.apache.rocketmq:rocketmq-broker
CVE-2021-21317 Vulnerability in npm package uap-core
CVE-2020-22755 Vulnerability in maven package net.mingsoft:ms-mcms