Cross-Site-Scripting attack on `<RichTextField>`

Severity:: Medium

Description

All React applications built with react-admin and using the <RichTextField> are affected.

<RichTextField> outputs the field value using dangerouslySetInnerHTML without client-side sanitization. If the data isn’t sanitized server-side, this opens a possible Cross-Site-Scripting (XSS) attack.

Recommendation

Update the ra-ui-materialui package to the latest compatible version. Followings are version details:

Affected version(s): **< 3.19.12 >= 4.0.0, < 4.7.6**
Patched version(s): **3.19.12 4.7.6**

References

GHSA-5jcr-82fh-339v
CVE-2023-25572
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Cross-Site-Scripting attack on `<RichTextField>` (GHSA-5jcr-82fh-339v) - CVE-2023-25572
Joplin Cross-site Scripting vulnerability - CVE-2023-37299
Joplin Cross-site Scripting vulnerability (GHSA-7grw-xfx6-qhx6) - CVE-2023-37298
external-svg-loader Cross-site Scripting vulnerability - CVE-2023-40013

Tags:: npm; ra-ui-materialui

Anything's wrong? Let us know Last updated on February 22, 2023