GHSA-3x59-vrmc-5mx6

Suggest an improvement
Source
https://github.com/advisories/GHSA-3x59-vrmc-5mx6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-3x59-vrmc-5mx6/GHSA-3x59-vrmc-5mx6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3x59-vrmc-5mx6
Aliases
Related
Published
2023-08-24T22:16:20Z
Modified
2023-11-08T04:13:24.921390Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
@webiny/react-rich-text-renderer vulnerable to insecure rendering of rich text content
Details

Overview

@webiny/react-rich-text-renderer is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. The @webiny/react-rich-text-renderer package depends on the editor.js rich text editor to handle rich text content. The CMS stores rich text content from the editor.js into the database. When the @webiny/react-rich-text-renderer is used to render such content, it uses the dangerouslySetInnerHTML prop, without applying HTML sanitization. The issue arises when an actor, who in this context would specifically be a content manager with access to the CMS, inserts a malicious script as part of the user-defined input. This script is then injected and executed within the user's browser when the main page or admin page loads.

Am I affected?

You will be affected if you're running a Webiny project created prior to 5.35.0 and you're using the legacy rich text editor (which uses editor.js library under the hood). If you've already switched to using the new rich text editor, powered by Lexical editor, you will not be affected by this.

How do I patch this vulnerability?

Update to Webiny version 5.37.2.

Database specific
{
    "github_reviewed_at": "2023-08-24T22:16:20Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2023-08-25T14:15:10Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

npm / @webiny/react-rich-text-renderer

Package

Name
@webiny/react-rich-text-renderer
View open source insights on deps.dev
Purl
pkg:npm/%40webiny/react-rich-text-renderer

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.37.2

Database specific

{
    "last_known_affected_version_range": "<= 5.37.1"
}