HTML Parsing Vulnerability in Lumos Product

CVE-2024-56082

Summary

CVE-2024-56082 pertains to a significant security vulnerability within the Lumos ChatBar component found in versions prior to 1.0.17. This vulnerability arises from the library's use of the markdown-to-jsx package, which does not have its 'disableParsingRawHTML' option enabled, resulting in the unsafe parsing of raw HTML input in Markdown content. Consequently, attackers can exploit this flaw to inject malicious scripts, leading to potential Cross-Site Scripting (XSS) attacks that compromise user data and application security. Users are strongly advised to upgrade to version 1.0.17 or later to mitigate these risks.

References