CVE-2023-41167 – @webiny/react-rich-text-renderer

Package

Manager: npm
Name: @webiny/react-rich-text-renderer
Vulnerable Version: >=0 <5.37.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00243 pctl0.47444

Details

@webiny/react-rich-text-renderer vulnerable to insecure rendering of rich text content ## Overview `@webiny/react-rich-text-renderer` is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. The `@webiny/react-rich-text-renderer` package depends on the [editor.js](https://editorjs.io/) rich text editor to handle rich text content. The CMS stores rich text content from the `editor.js` into the database. When the `@webiny/react-rich-text-renderer` is used to render such content, it uses the `dangerouslySetInnerHTML` prop, without applying HTML sanitization. The issue arises when an actor, who in this context would specifically be a content manager with access to the CMS, inserts a malicious script as part of the user-defined input. This script is then injected and executed within the user's browser when the main page or admin page loads. ## Am I affected? You will be affected if you're running a Webiny project created prior to `5.35.0` and you're using the legacy rich text editor (which uses `editor.js` library under the hood). If you've already switched to using the new rich text editor, powered by Lexical editor, you will not be affected by this. ## How do I patch this vulnerability? Update to Webiny version `5.37.2`.

Metadata

Created: 2023-08-24T22:16:20Z
Modified: 2023-08-31T18:51:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-3x59-vrmc-5mx6/GHSA-3x59-vrmc-5mx6.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-3x59-vrmc-5mx6
Finding: F425
Auto approve: 1