GHSA-3x59-vrmc-5mx6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3x59-vrmc-5mx6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-3x59-vrmc-5mx6/GHSA-3x59-vrmc-5mx6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3x59-vrmc-5mx6
- Aliases
- Related
- Published
- 2023-08-24T22:16:20Z
- Modified
- 2023-11-08T04:13:24.921390Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- @webiny/react-rich-text-renderer vulnerable to insecure rendering of rich text content
- Details
-
Overview
@webiny/react-rich-text-rendereris a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. The@webiny/react-rich-text-rendererpackage depends on the editor.js rich text editor to handle rich text content. The CMS stores rich text content from theeditor.jsinto the database. When the@webiny/react-rich-text-rendereris used to render such content, it uses thedangerouslySetInnerHTMLprop, without applying HTML sanitization. The issue arises when an actor, who in this context would specifically be a content manager with access to the CMS, inserts a malicious script as part of the user-defined input. This script is then injected and executed within the user's browser when the main page or admin page loads.Am I affected?
You will be affected if you're running a Webiny project created prior to
5.35.0and you're using the legacy rich text editor (which useseditor.jslibrary under the hood). If you've already switched to using the new rich text editor, powered by Lexical editor, you will not be affected by this.How do I patch this vulnerability?
Update to Webiny version
5.37.2. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2023-08-24T22:16:20Z", "nvd_published_at": "2023-08-25T14:15:10Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE" }- References
Affected packages
npm / @webiny/react-rich-text-renderer
Package
- Name
- @webiny/react-rich-text-renderer
- View open source insights on deps.dev
- Purl
- pkg:npm/%40webiny/react-rich-text-renderer