CVE-2020-23849
Stored Cross-Site Scripting (XSS) vulnerability in jsoneditor (npm)

Stored Cross-Site Scripting (XSS) No known exploit

What is CVE-2020-23849 About?

This vulnerability is a Stored Cross-Site Scripting (XSS) in jsoneditor before version 9.0.2, affecting its tree mode. Attackers can inject and execute malicious JavaScript, leading to arbitrary code execution in the victim's browser, and it is moderately easy to exploit.

Affected Software

jsoneditor <9.0.2

Technical Details

A Stored Cross-Site Scripting (XSS) vulnerability exists in versions of jsoneditor prior to 9.0.2. This flaw specifically impacts the 'tree mode' functionality of the editor. An attacker can inject malicious JavaScript code into data that gets stored by the application (e.g., in a database). When a legitimate user later views or loads this malicious data through the jsoneditor's tree mode interface, the stored script is retrieved from the server and executed within their web browser. This occurs because the application fails to properly sanitize or escape user-supplied input before rendering it in the DOM, allowing the injected script to bypass content security policies and execute with the privileges of the user browsing the page.

What is the Impact of CVE-2020-23849?

Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, sensitive data theft, or redirection to malicious sites.

What is the Exploitability of CVE-2020-23849?

Exploitation of this Stored XSS vulnerability typically involves medium complexity, requiring the attacker to first find an input field in the jsoneditor's tree mode where malicious data can be stored persistently. Authentication may be required to submit the malicious payload, but once stored, any authenticated or unauthenticated user viewing the affected data will be impacted. This is a remote attack. Privilege requirements are generally those of a regular user who can submit and store content. The likelihood of exploitation increases if the application allows users to submit and view JSON data without robust input validation and output encoding, or if administrative interfaces are accessible with insufficient protections.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2020-23849?

Available Upgrade Options

  • jsoneditor
    • <9.0.2 → Upgrade to 9.0.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-23849?

Similar Vulnerabilities: CVE-2020-13693 , CVE-2020-13768 , CVE-2020-11022 , CVE-2020-13871 , CVE-2020-14197

All Rights reserved 2025
Privacy Policy