Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zeDU5LXZybWMtNW14Ns4AA1fb
@webiny/react-rich-text-renderer vulnerable to insecure rendering of rich text content
Overview
@webiny/react-rich-text-renderer is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. The @webiny/react-rich-text-renderer package depends on the editor.js rich text editor to handle rich text content. The CMS stores rich text content from the editor.js into the database. When the @webiny/react-rich-text-renderer is used to render such content, it uses the dangerouslySetInnerHTML prop, without applying HTML sanitization. The issue arises when an actor, who in this context would specifically be a content manager with access to the CMS, inserts a malicious script as part of the user-defined input. This script is then injected and executed within the user's browser when the main page or admin page loads.
Am I affected?
You will be affected if you're running a Webiny project created prior to 5.35.0 and you're using the legacy rich text editor (which uses editor.js library under the hood). If you've already switched to using the new rich text editor, powered by Lexical editor, you will not be affected by this.
How do I patch this vulnerability?
Update to Webiny version 5.37.2.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zeDU5LXZybWMtNW14Ns4AA1fb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: 6 months ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-3x59-vrmc-5mx6, CVE-2023-41167
References:
- https://github.com/webiny/webiny-js/security/advisories/GHSA-3x59-vrmc-5mx6
- https://github.com/webiny/webiny-js/commit/8748bc53fe862bb03d4459ccc0be39084a5d35c0
- https://nvd.nist.gov/vuln/detail/CVE-2023-41167
- https://webiny.com
- https://github.com/advisories/GHSA-3x59-vrmc-5mx6
Blast Radius: 6.4
Affected Packages
npm:@webiny/react-rich-text-renderer
Dependent packages: 1Dependent repositories: 22
Downloads: 2,024 last month
Affected Version Ranges: <= 5.37.1
Fixed in: 5.37.2
All affected versions: 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.11.1, 5.12.0, 5.13.0, 5.14.0, 5.15.0, 5.16.0, 5.17.0, 5.17.2, 5.17.3, 5.17.4, 5.18.0, 5.18.1, 5.18.2, 5.18.3, 5.19.0, 5.19.1, 5.20.0, 5.21.0, 5.22.0, 5.22.1, 5.23.0, 5.23.1, 5.24.0, 5.25.0, 5.26.0, 5.27.0, 5.28.0, 5.29.0, 5.30.0, 5.31.0, 5.32.0, 5.33.0, 5.33.1, 5.33.2, 5.33.3, 5.33.4, 5.33.5, 5.34.0, 5.34.1, 5.34.2, 5.34.3, 5.34.4, 5.34.5, 5.34.6, 5.34.7, 5.34.8, 5.35.0, 5.35.1, 5.35.2, 5.35.3, 5.35.4, 5.36.0, 5.36.1, 5.36.2, 5.37.0, 5.37.1
All unaffected versions: 5.37.2, 5.37.3, 5.37.4, 5.37.5, 5.37.6, 5.37.7, 5.37.8, 5.38.0, 5.38.1, 5.38.2, 5.38.3, 5.38.4, 5.38.5, 5.38.6, 5.39.0, 5.39.1, 5.39.2, 5.39.3, 5.39.4, 5.39.5