@tiptap/extension-link Cross-Site Scripting Vulnerability
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in the @tiptap/extension-link package, affecting versions prior to 2.10.4. The issue arises from unsanitized user input that is allowed when setting or toggling links. This vulnerability enables attackers to execute arbitrary JavaScript in the context of the application by injecting a 'javascript:' URL payload, which is activated through user interaction.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the user's browser, potentially leading to session hijacking or other malicious actions.
Reproduction
To reproduce this vulnerability, use a version of the @tiptap/extension-link package prior to 2.10.4. Navigate to a page with the Tiptap editor, click 'Try it live', and add a link by entering a 'javascript:' URL payload into the link dialog. Once the link is added, change the 'contenteditable' attribute to 'false' to make the link clickable. Clicking the link will execute the injected JavaScript, demonstrating the XSS vulnerability.
Remediation
Upgrade the @tiptap/extension-link package to version 2.10.4 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.