Syncfusion Document Editor and Chat UI Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Syncfusion version 30.1.37. This issue arises in the Document Editor's reply to comment field and the Chat UI's chat message feature. The vulnerability allows attackers to inject malicious scripts that are executed when the content is viewed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the content.

Reproduction

To reproduce this vulnerability in the Document Editor, leave a comment on a valid Syncfusion document, then reply to that comment with a message containing malicious HTML, such as an image tag with an 'onerror' event. In the Chat UI, send a message with similar malicious HTML. The injected script will execute when the message is viewed.