Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2018-6464

CVE-2018-6464:
Simditor XSS Vulnerability

6.1

CVSS Score

Basic Information

CVE ID
CVE-2018-6464
GHSA ID
GHSA-p9wj-wrrm-84m5
EPSS Score
-
CWE
CWE-79
Published
5/13/2022
Updated
10/6/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
simditornpm<= 2.3.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information lacks concrete code examples, commit diffs, or patch details showing specific functions. While the vulnerability stems from insufficient input sanitization when processing TEXTAREA content containing SVG/onload attributes, the exact functions responsible for HTML parsing/sanitization in Simditor cannot be identified with high confidence without access to the implementation details. The advisory references a simditor.docx file that is no longer accessible, and there's no GitHub patch or code snippet to analyze. This makes it impossible to pinpoint specific vulnerable functions or their file paths definitively.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Sim*itor v*.*.** *llows XSS vi* *r**t** us* o* `sv*/onlo**=*l*rt` in * T*XT*R** *l*m*nt, *s **monstr*t** *y *ir**ox **.*.*.

Reasoning

T** provi*** vuln*r**ility in*orm*tion l**ks *on*r*t* *o** *x*mpl*s, *ommit *i**s, or p*t** **t*ils s*owin* sp**i*i* *un*tions. W*il* t** vuln*r**ility st*ms *rom insu**i*i*nt input s*nitiz*tion w**n pro**ssin* T*XT*R** *ont*nt *ont*inin* SV*/onlo**