CVE-2022-23461
XSS vulnerability in jodit (npm)

XSS No known exploit

What is CVE-2022-23461 About?

Jodit Editor is susceptible to Cross-Site Scripting (XSS) attacks through specially crafted input during paste operations. This can lead to arbitrary code execution within the user's browser, posing a moderate risk to user data and browser integrity. Exploitation requires careful crafting of input but is generally straightforward once the vulnerability is understood.

Affected Software

jodit <=3.24.2

Technical Details

The Jodit Editor, a WYSIWYG editor built in TypeScript, fails to properly sanitize certain inputs, specifically when content is pasted into the editor. An attacker can create a malicious script disguised within the input data. When a user pastes this specially constructed input into the editor, the editor processes it without adequate sanitization, causing the embedded script to be executed in the context of the user's browser. This allows the attacker to bypass security mechanisms and perform actions such as session hijacking, defacement, or redirection.

What is the Impact of CVE-2022-23461?

Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, hijack user sessions, deface web content, or redirect users to malicious sites.

What is the Exploitability of CVE-2022-23461?

Exploitation of this XSS vulnerability is of moderate complexity. It requires an attacker to provide specially constructed input that a user then pastes into the Jodit Editor. No authentication is necessary for the attacker to provide this input to a potential victim, but the victim must interact with the editor by pasting the malicious content. The vulnerability is typically exploited remotely, as the attacker delivers the payload to the victim. The primary constraint is the user's action of pasting the malicious content; social engineering might increase the likelihood of success. No special privileges are required on the victim's system, and the impact is limited to the browser session.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2022-23461?

Available Upgrade Options

  • No fixes available

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-23461?

Similar Vulnerabilities: CVE-2021-23648 , CVE-2022-48345 , CVE-2023-28435 , CVE-2023-38406 , CVE-2023-45136

All Rights reserved 2025
Privacy Policy