XSS vulnerability in Plate media for React
CVE-2024-40631
What is CVE-2024-40631?
The vulnerability allows for cross-site scripting (XSS) attacks when using custom URL parsers within the Udecode Plate Media editor. Specifically, when editors implement the MediaEmbedElement and assign custom urlParsers to the useMediaState hook, there is a risk of allowing malicious scripts via javascript:, data:, or vbscript: URLs. Editors that directly utilize the url property without proper sanitization are similarly exposed. The default URL parsing functions, such as parseTwitterUrl and parseVideoUrl, are unaffected. To address this vulnerability, version 36.0.10 of @udecode/plate-media enforces restrictions on URL parsing to ensure only HTTP and HTTPS protocols are allowed. Additionally, the return value of useMediaState has been updated to clearly denote unsafe URLs, urging users to perform thorough validation of URLs before utilizing them. Users are encouraged to update to the latest version, or if unable to do so, must ensure their custom parsers do not permit unsafe URL schemes.
Affected Version(s)
plate < 36.0.10
