Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacker with document editing privileges can inject a malicious javascript: URL that executes arbitrary code when other users click on the link.
This vulnerability also enables a self-propagating worm: once a victim clicks the malicious link, the attacker's script can automatically copy itself to all documents the victim can edit, spreading to other users without any additional interaction.
Severity: High (CVSS 8.7 - AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Affected Version from v3.8.0 to v4.3.0.
Vulnerability Details
- Vulnerability Type: Stored Cross-Site Scripting (XSS)
- Affected Component:
src/frontend/apps/impress/src/features/docs/doc-editor/components/custom-inline-content/Interlinking/InterlinkingLinkInlineContent.tsx
The issue occurs because:
- When a user clicks an interlinking block, the
handleClick function calls router.push(url)
- The
url value comes directly from the stored block data without validation
- Next.js
router.push() executes javascript: URLs, allowing arbitrary script execution
const handleClick = (e: React.MouseEvent<HTMLDivElement>) => {
e.preventDefault();
void router.push(url); // url is not validated
};While the normal UI generates safe URLs like /docs/{document-id}, the stored block data can be modified to contain javascript: URLs via the editor API.
Impact
Attack scenario example:
Attacker (editor) → Injects malicious link into shared document
↓
Victim A clicks link → Worm spreads to all of Victim A's editable documents
↓
Victim B opens infected document → Worm spreads to all of Victim B's documents
↓
Exponential spread across organization
CVSS 8.7 Justification
- AV:N (Network) - Exploitable over network
- AC:L (Low) - No special conditions required
- PR:L (Low) - Requires document edit privileges
- UI:R (Required) - Victim must click the link
- S:C (Changed) - Worm can spread to other documents/users beyond initial scope
- C:H (High) - Can read all victim's documents
- I:H (High) - Can modify other documents, inject malicious content
- A:N (None) - No direct availability impact
Credits
thxtech Reporter
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacker with document editing privileges can inject a malicious
javascript:URL that executes arbitrary code when other users click on the link.This vulnerability also enables a self-propagating worm: once a victim clicks the malicious link, the attacker's script can automatically copy itself to all documents the victim can edit, spreading to other users without any additional interaction.
Severity: High (CVSS 8.7 - AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
Affected Version from v3.8.0 to v4.3.0.
Vulnerability Details
src/frontend/apps/impress/src/features/docs/doc-editor/components/custom-inline-content/Interlinking/InterlinkingLinkInlineContent.tsxThe issue occurs because:
handleClickfunction callsrouter.push(url)urlvalue comes directly from the stored block data without validationrouter.push()executesjavascript:URLs, allowing arbitrary script executionWhile the normal UI generates safe URLs like
/docs/{document-id}, the stored block data can be modified to containjavascript:URLs via the editor API.Impact
Attack scenario example:
CVSS 8.7 Justification
Credits