Ran into a interesting False-Positive related to a third party WYSIWYG editor, need some feedback

Hey everyone,

I’m a AppSec Engineer and our SCA scanner picked up a vulnerability for a javascript WYSIWG editor that was tagged as Disputed in the NVD. This finding was High severity.

I don’t have the specifics for CVE or package, but those details should not matter here.

Basically, the text editor allows a user to add their own HTML and does not restrict its usage. A security researcher reported that this allowed them to add JS and execute a …

appsec cve cybersecurity don editor engineer feedback hey high javascript nvd package party sca scanner severity third vulnerability