GMS-2020-36: Cross-Site Scripting in @progress/kendo-angular-editor

August 11, 2020 (updated September 23, 2021)

Kendo UI for Angular Editor Component (npm package @progress/kendo-angular-editor) is vulnerable to Cross-Site Scripting. When the Editor content contains potentially malicious scripts in element event handlers, they get executed. Adding the following content to the Editor value demonstrates the issue: <img src="" onerror=alert(document.domain)>.

References

github.com/advisories/GHSA-j7wp-vjj6-cp5m
github.com/telerik/kendo-angular-editor
stackblitz.com/edit/angular-6xzuzp-tef7lb?file=app/app.component.ts
www.npmjs.com/advisories/1549

Code Behaviors & Features

Detect and mitigate GMS-2020-36 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →