On June 13, 2024, a critical 0-day vulnerability (CVE-2024-37629) was discovered in the SummerNote 0.8.18 WYSIWYG editor, allowing Cross-Site Scripting (XSS) via the Code View function. Security researcher Sergio Medeiros identified that this flaw could be exploited to insert harmful executable scripts, impacting over 10,000 web applications. The vulnerability allows attackers to inject malicious XSS payloads, which execute JavaScript code when processed by the editor. This vulnerability highlights the significant risk posed by unsanitized input fields in web applications. Users are urged to sanitize input fields and update to secure versions of SummerNote to mitigate this risk.
For further details and mitigation strategies, refer to the full research report.
