CVE-2021-3163
Cross-Site Scripting (XSS) vulnerability in quill (npm)
What is CVE-2021-3163 About?
This is a Cross-Site Scripting (XSS) vulnerability in the HTML editor of Slab Quill, allowing arbitrary JavaScript execution. An attacker can store a malicious XSS payload in a text field, which then executes when a user views the content. Exploitation is relatively easy as it primarily requires storing a crafted input in a user-accessible field.
Affected Software
Technical Details
A vulnerability in the HTML editor of Slab Quill allows for Cross-Site Scripting (XSS). An attacker can inject a crafted onloadstart attribute within an IMG element in a text field, which serves as an XSS payload. When a user or system processes or renders this text field, the injected JavaScript code embedded within the onloadstart attribute is executed in the context of the user's browser. This allows for arbitrary client-side script execution, potentially leading to session hijacking, data theft, or defacement.
What is the Impact of CVE-2021-3163?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, enabling session hijacking, defacement, unauthorized data access, or redirection to malicious sites.
What is the Exploitability of CVE-2021-3163?
Exploitation of this XSS vulnerability is straightforward. An attacker needs to be able to submit content to a text field processed by the Slab Quill HTML editor. There are likely no authentication requirements beyond those needed to access the input form. No specific privileges are required beyond standard user access to input fields. This is a remote vulnerability, as the attacker injects the payload, which then executes in another user's browser. The primary condition is the ability to save custom HTML content that will be rendered by others. No special tools beyond a web browser capable of submitting crafted input are needed. The vulnerability's impact is high once the payload is rendered.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-3163?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://quilljs.com
- https://github.com/quilljs/quill
- https://nvd.nist.gov/vuln/detail/CVE-2021-3163
- https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html
- https://github.com/quilljs/quill/issues/3364
- https://github.com/quilljs/quill/issues/3364
- https://github.com/quilljs/quill/issues/3273
- https://osv.dev/vulnerability/GHSA-4943-9vgg-gr5r
- https://github.com/quilljs/quill/issues/3359
- https://burninatorsec.blogspot.com/2021/04/cve-2021-3163-xss-slab-quill-js.html
What are Similar Vulnerabilities to CVE-2021-3163?
Similar Vulnerabilities: CVE-2023-34125 , CVE-2022-24329 , CVE-2021-23389 , CVE-2020-27202 , CVE-2020-13768
