Skip to main content

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2023-34245

Severity Medium
Score 6.1/10

Summary

The @udecode/plate-link is the link handler for the udecode/plate rich-text editor plugin system for Slate & React. Affected versions prior to 20.0.0 of the link plugin and link UI component do not sanitize URLs to prevent the use of the `javascript:` scheme. As a result, links with JavaScript URLs can be inserted into the Plate editor through various means, including opening or pasting malicious content. `@udecode/plate-link` 20.0.0 resolves this issue by introducing an `allowedSchemes` option to the link plugin, defaulting to `['http', 'https', 'mailto', 'tel']`. URLs using a scheme that isn't in this list will not be rendered to the DOM. Users are advised to upgrade. Users were unable to upgrade are advised to override the `LinkElement` and `PlateFloatingLink` components with implementations that explicitly check the URL scheme before rendering any anchor elements.

  • LOW
  • NETWORK
  • LOW
  • CHANGED
  • REQUIRED
  • NONE
  • LOW
  • NONE

CWE-79 - Cross Site Scripting

Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.

Advisory Timeline

  • Published