id: CVE-2019-7543 info: name: KindEditor 4.1.11 - Cross-Site Scripting author: pikpikcu severity: medium description: KindEditor 4.1.11 contains a cross-site scripting vulnerability via the php/demo.php content1 parameter. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. remediation: | Upgrade to a patched version of KindEditor or apply the necessary security patches provided by the vendor. reference: - https://github.com/0xUhaw/CVE-Bins/tree/master/KindEditor - https://nvd.nist.gov/vuln/detail/CVE-2019-7543 - https://github.com/ARPSyndicate/kenzer-templates - https://github.com/HaleBera/A-NOVEL-CONTAINER-ATTACKS-DATASET-FOR-INTRUSION-DETECTION - https://github.com/HaleBera/A-NOVEL-CONTAINER-ATTACKS-DATASET-FOR-INTRUSION-DETECTION-Deployments classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2019-7543 cwe-id: CWE-79 epss-score: 0.03134 epss-percentile: 0.86258 cpe: cpe:2.3:a:kindsoft:kindeditor:4.1.11:*:*:*:*:*:*:* metadata: max-request: 2 vendor: kindsoft product: kindeditor tags: cve,cve2019,kindeditor,xss,kindsoft,vuln http: - method: POST path: - '{{BaseURL}}/kindeditor/php/demo.php' - '{{BaseURL}}/php/demo.php' body: "content1=&button=%E6%8F%90%E4%BA%A4%E5%86%85%E5%AE%B9" headers: Content-Type: application/x-www-form-urlencoded matchers-condition: and matchers: - type: word part: body words: - '' - type: word part: header words: - text/html - type: status status: - 200 # digest: 490a0046304402207578964f1a65c2f0f168b851432d4d4ed90fe5a665f27450f9260fa3052adc6f02206e13a6caa94a26d8654aa38f5409ef00884ad5794ade9d65ee8432e73fd969c0:922c64590222798bb761d5b6d8e72950