0-Day Vulnerability in 10,000 Web Apps Exploited Using XSS Payloads

Bar Refael

June 16, 2024

On June 13, 2024, a critical 0-day vulnerability (CVE-2024-37629) was discovered in the SummerNote 0.8.18 WYSIWYG editor, allowing Cross-Site Scripting (XSS) via the Code View function. Security researcher Sergio Medeiros identified that this flaw could be exploited to insert harmful executable scripts, impacting over 10,000 web applications. The vulnerability allows attackers to inject malicious XSS payloads, which execute JavaScript code when processed by the editor. This vulnerability highlights the significant risk posed by unsanitized input fields in web applications. Users are urged to sanitize input fields and update to secure versions of SummerNote to mitigate this risk.

For further details and mitigation strategies, refer to the full research report.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox