Cross-Site-Scripting attack on `<RichTextField>` - react-admin

Description

All React applications built with react-admin and using the <RichTextField> are affected.

<RichTextField> outputs the field value using dangerouslySetInnerHTML without client-side sanitization. If the data isn’t sanitized server-side, this opens a possible Cross-Site-Scripting (XSS) attack.

Recommendation

Update the react-admin package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 4.0.0, < 4.7.6

  < 3.19.12**

• Patched version(s): **4.7.6

  3.19.12**

References

• GHSA-5jcr-82fh-339v
• CVE-2023-25572
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Cross-Site-Scripting attack on `<RichTextField>` - CVE-2023-25572
• tarteaucitron.js vulnerable to Cross-site Scripting - CVE-2023-3620
• editor.md vulnerable to Cross-site Scripting - CVE-2023-29641
• external-svg-loader Cross-site Scripting vulnerability - CVE-2023-40013

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

react-admin