Closed Bug 847992 Opened 9 years ago Closed 9 years ago

XSS in FCKeditor on


(Websites ::, defect)

Not set


(Not tracked)



(Reporter: abillings, Assigned: pauljt)


(Keywords: sec-moderate, wsec-xss, Whiteboard: [])

Deepankar Arora and Nipun Jaswal ( sent the following report of a XSS in the FCKeditor on

Hi Sir/Madam,

We have recently discovered a POST XSS vulnerability in one of your sub-domain ( .

Vulnerable Link:


Exploit Code:

Bugzilla IDs:

Waiting for a reply soon.

Deepankar Arora
Nipun Jaswal
Flags: sec-bounty?
Assignee: nobody → ptheriault
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [verif?]
POC demonstrates XSS as described, in the "textinputs[]" parameter. The parameter gets injected straight into JavaScript, without escaping necessary characters:

var textinputs = new Array();
var error;
textinputs[0] = decodeURIComponent(" <- injection from here on.

I had a quick skim and I can't see an existing bug for this - not sure if this code is actually used or not, it seems to not work for me.
Well, we need to either:

1) Update the editor to a non-vulnerable version.
2) Fix it in place.
3) Remove the editor.
The bug is still not fixed.
Yes, that is why the status of the bug is "new" instead of "resolved" with a resolution of "fixed."
Whiteboard: [verif?] → [verif?][]
This appears to be fixed. The FCKeditor doesn't seem to be present anymore, likely removed during the recent wikimo upgrades.
Closed: 9 years ago
Resolution: --- → FIXED
Does not qualify for a bounty, is not a covered site (3rd party software, developer-oriented site).
Flags: sec-bounty? → sec-bounty-
Whiteboard: [verif?][] → []
Group: websites-security
You need to log in before you can comment on or make changes to this bug.