Cross-Site-Scripting attack on `<RichTextField>` (GHSA-5jcr-82fh-339v)

Description

All React applications built with react-admin and using the <RichTextField> are affected.

<RichTextField> outputs the field value using dangerouslySetInnerHTML without client-side sanitization. If the data isn’t sanitized server-side, this opens a possible Cross-Site-Scripting (XSS) attack.

Recommendation

Update the react-admin package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 4.0.0, < 4.7.6

  < 3.19.12**

• Patched version(s): **4.7.6

  3.19.12**

References

• GHSA-5jcr-82fh-339v
• CVE-2023-25572
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Cross-Site-Scripting attack on `<RichTextField>` - CVE-2023-25572
• Joplin Cross-site Scripting vulnerability (GHSA-7grw-xfx6-qhx6) - CVE-2023-37298
• Vega Expression Language `scale` expression function Cross Site Scripting (GHSA-4vq7-882g-wcg4) - CVE-2023-26486
• Vega has Cross-site Scripting vulnerability in `lassoAppend` function (GHSA-w5m3-xh75-mp55) - CVE-2023-26487

Tags:

npm

react-admin