Vulnerability-Lookup

CVE-2023-25572 (GCVE-0-2023-25572)

Vulnerability from cvelistv5 – Published: 2023-02-13 20:49 – Updated: 2025-03-10 21:12

Title

React-Admin vulnerable to Cross-Site-Scripting attack on `<RichTextField>`

Summary

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `<RichTextField>` are affected. `<RichTextField>` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn't sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `<RichTextField>` by a custom field doing sanitization by hand.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/marmelab/react-admin/security/…	x_refsource_CONFIRM
	https://github.com/marmelab/react-admin/pull/8644	x_refsource_MISC
	https://github.com/marmelab/react-admin/pull/8645	x_refsource_MISC
	https://github.com/marmelab/react-admin/releases/…	x_refsource_MISC
	https://github.com/marmelab/react-admin/releases/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	marmelab	react-admin	Affected: < 3.19.12 Affected: >= 4.0.0, < 4.7.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:25:19.194Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v"
          },
          {
            "name": "https://github.com/marmelab/react-admin/pull/8644",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/marmelab/react-admin/pull/8644"
          },
          {
            "name": "https://github.com/marmelab/react-admin/pull/8645",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/marmelab/react-admin/pull/8645"
          },
          {
            "name": "https://github.com/marmelab/react-admin/releases/tag/v3.19.12",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/marmelab/react-admin/releases/tag/v3.19.12"
          },
          {
            "name": "https://github.com/marmelab/react-admin/releases/tag/v4.7.6",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/marmelab/react-admin/releases/tag/v4.7.6"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-25572",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-10T21:00:46.979789Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-10T21:12:31.239Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "react-admin",
          "vendor": "marmelab",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.19.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.7.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `\u003cRichTextField\u003e` are affected. `\u003cRichTextField\u003e` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn\u0027t sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `\u003cRichTextField\u003e` by a custom field doing sanitization by hand.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-13T20:49:54.340Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v"
        },
        {
          "name": "https://github.com/marmelab/react-admin/pull/8644",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/marmelab/react-admin/pull/8644"
        },
        {
          "name": "https://github.com/marmelab/react-admin/pull/8645",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/marmelab/react-admin/pull/8645"
        },
        {
          "name": "https://github.com/marmelab/react-admin/releases/tag/v3.19.12",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/marmelab/react-admin/releases/tag/v3.19.12"
        },
        {
          "name": "https://github.com/marmelab/react-admin/releases/tag/v4.7.6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/marmelab/react-admin/releases/tag/v4.7.6"
        }
      ],
      "source": {
        "advisory": "GHSA-5jcr-82fh-339v",
        "discovery": "UNKNOWN"
      },
      "title": "React-Admin vulnerable to Cross-Site-Scripting attack on `\u003cRichTextField\u003e`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-25572",
    "datePublished": "2023-02-13T20:49:54.340Z",
    "dateReserved": "2023-02-07T17:10:00.739Z",
    "dateUpdated": "2025-03-10T21:12:31.239Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-25572",
      "date": "2026-04-25",
      "epss": "0.00799",
      "percentile": "0.74114"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:marmelab:ra-ui-materialui:*:*:*:*:*:node.js:*:*\", \"versionEndExcluding\": \"3.9.12\", \"matchCriteriaId\": \"6E468540-8158-43F2-A7FF-72D9CE7CDE4B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:marmelab:ra-ui-materialui:*:*:*:*:*:node.js:*:*\", \"versionStartIncluding\": \"4.0.0\", \"versionEndExcluding\": \"4.7.6\", \"matchCriteriaId\": \"8C52A15F-0B9F-4E15-AB29-16295BF42E0B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:marmelab:react-admin:*:*:*:*:*:node.js:*:*\", \"versionEndExcluding\": \"3.9.12\", \"matchCriteriaId\": \"FEC7A43C-5BEA-446D-AB0F-E56517457D26\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:marmelab:react-admin:*:*:*:*:*:node.js:*:*\", \"versionStartIncluding\": \"4.0.0\", \"versionEndExcluding\": \"4.7.6\", \"matchCriteriaId\": \"280466D9-681F-4DEB-B15E-EAB5B6AD4638\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `\u003cRichTextField\u003e` are affected. `\u003cRichTextField\u003e` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn\u0027t sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `\u003cRichTextField\u003e` by a custom field doing sanitization by hand.\\n\"}]",
      "id": "CVE-2023-25572",
      "lastModified": "2024-11-21T07:49:45.277",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}]}",
      "published": "2023-02-13T21:15:15.550",
      "references": "[{\"url\": \"https://github.com/marmelab/react-admin/pull/8644\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Patch\"]}, {\"url\": \"https://github.com/marmelab/react-admin/pull/8645\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/marmelab/react-admin/releases/tag/v3.19.12\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/marmelab/react-admin/releases/tag/v4.7.6\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/marmelab/react-admin/pull/8644\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Patch\"]}, {\"url\": \"https://github.com/marmelab/react-admin/pull/8645\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/marmelab/react-admin/releases/tag/v3.19.12\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/marmelab/react-admin/releases/tag/v4.7.6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mitigation\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-25572\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-02-13T21:15:15.550\",\"lastModified\":\"2024-11-21T07:49:45.277\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `\u003cRichTextField\u003e` are affected. `\u003cRichTextField\u003e` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn\u0027t sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `\u003cRichTextField\u003e` by a custom field doing sanitization by hand.\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:marmelab:ra-ui-materialui:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"3.9.12\",\"matchCriteriaId\":\"6E468540-8158-43F2-A7FF-72D9CE7CDE4B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:marmelab:ra-ui-materialui:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.7.6\",\"matchCriteriaId\":\"8C52A15F-0B9F-4E15-AB29-16295BF42E0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:marmelab:react-admin:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"3.9.12\",\"matchCriteriaId\":\"FEC7A43C-5BEA-446D-AB0F-E56517457D26\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:marmelab:react-admin:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.7.6\",\"matchCriteriaId\":\"280466D9-681F-4DEB-B15E-EAB5B6AD4638\"}]}]}],\"references\":[{\"url\":\"https://github.com/marmelab/react-admin/pull/8644\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\"]},{\"url\":\"https://github.com/marmelab/react-admin/pull/8645\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/marmelab/react-admin/releases/tag/v3.19.12\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/marmelab/react-admin/releases/tag/v4.7.6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/marmelab/react-admin/pull/8644\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\"]},{\"url\":\"https://github.com/marmelab/react-admin/pull/8645\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/marmelab/react-admin/releases/tag/v3.19.12\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/marmelab/react-admin/releases/tag/v4.7.6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v\", \"name\": \"https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/marmelab/react-admin/pull/8644\", \"name\": \"https://github.com/marmelab/react-admin/pull/8644\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/marmelab/react-admin/pull/8645\", \"name\": \"https://github.com/marmelab/react-admin/pull/8645\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/marmelab/react-admin/releases/tag/v3.19.12\", \"name\": \"https://github.com/marmelab/react-admin/releases/tag/v3.19.12\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/marmelab/react-admin/releases/tag/v4.7.6\", \"name\": \"https://github.com/marmelab/react-admin/releases/tag/v4.7.6\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T11:25:19.194Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-25572\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T21:00:46.979789Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T21:00:48.542Z\"}}], \"cna\": {\"title\": \"React-Admin vulnerable to Cross-Site-Scripting attack on `\u003cRichTextField\u003e`\", \"source\": {\"advisory\": \"GHSA-5jcr-82fh-339v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"marmelab\", \"product\": \"react-admin\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.19.12\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 4.7.6\"}]}], \"references\": [{\"url\": \"https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v\", \"name\": \"https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/marmelab/react-admin/pull/8644\", \"name\": \"https://github.com/marmelab/react-admin/pull/8644\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/marmelab/react-admin/pull/8645\", \"name\": \"https://github.com/marmelab/react-admin/pull/8645\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/marmelab/react-admin/releases/tag/v3.19.12\", \"name\": \"https://github.com/marmelab/react-admin/releases/tag/v3.19.12\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/marmelab/react-admin/releases/tag/v4.7.6\", \"name\": \"https://github.com/marmelab/react-admin/releases/tag/v4.7.6\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `\u003cRichTextField\u003e` are affected. `\u003cRichTextField\u003e` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn\u0027t sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `\u003cRichTextField\u003e` by a custom field doing sanitization by hand.\\n\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-02-13T20:49:54.340Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-25572\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-10T21:12:31.239Z\", \"dateReserved\": \"2023-02-07T17:10:00.739Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-02-13T20:49:54.340Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2023-25572

Vulnerability from fkie_nvd - Published: 2023-02-13 21:15 - Updated: 2024-11-21 07:49

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/marmelab/react-admin/pull/8644	Exploit, Patch
security-advisories@github.com	https://github.com/marmelab/react-admin/pull/8645	Patch
security-advisories@github.com	https://github.com/marmelab/react-admin/releases/tag/v3.19.12	Release Notes
security-advisories@github.com	https://github.com/marmelab/react-admin/releases/tag/v4.7.6	Release Notes
security-advisories@github.com	https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v	Exploit, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/marmelab/react-admin/pull/8644	Exploit, Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/marmelab/react-admin/pull/8645	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/marmelab/react-admin/releases/tag/v3.19.12	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/marmelab/react-admin/releases/tag/v4.7.6	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v	Exploit, Mitigation, Vendor Advisory

Impacted products

Vendor	Product	Version
marmelab	ra-ui-materialui	*
marmelab	ra-ui-materialui	*
marmelab	react-admin	*
marmelab	react-admin	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:marmelab:ra-ui-materialui:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "6E468540-8158-43F2-A7FF-72D9CE7CDE4B",
              "versionEndExcluding": "3.9.12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:marmelab:ra-ui-materialui:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "8C52A15F-0B9F-4E15-AB29-16295BF42E0B",
              "versionEndExcluding": "4.7.6",
              "versionStartIncluding": "4.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:marmelab:react-admin:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "FEC7A43C-5BEA-446D-AB0F-E56517457D26",
              "versionEndExcluding": "3.9.12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:marmelab:react-admin:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "280466D9-681F-4DEB-B15E-EAB5B6AD4638",
              "versionEndExcluding": "4.7.6",
              "versionStartIncluding": "4.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `\u003cRichTextField\u003e` are affected. `\u003cRichTextField\u003e` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn\u0027t sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `\u003cRichTextField\u003e` by a custom field doing sanitization by hand.\n"
    }
  ],
  "id": "CVE-2023-25572",
  "lastModified": "2024-11-21T07:49:45.277",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-02-13T21:15:15.550",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "https://github.com/marmelab/react-admin/pull/8644"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/marmelab/react-admin/pull/8645"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/marmelab/react-admin/releases/tag/v3.19.12"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/marmelab/react-admin/releases/tag/v4.7.6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "https://github.com/marmelab/react-admin/pull/8644"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/marmelab/react-admin/pull/8645"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/marmelab/react-admin/releases/tag/v3.19.12"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/marmelab/react-admin/releases/tag/v4.7.6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2023-25572

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-25572

Aliases

CVE-2023-25572

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-25572",
    "id": "GSD-2023-25572"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-25572"
      ],
      "details": "react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `\u003cRichTextField\u003e` are affected. `\u003cRichTextField\u003e` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn\u0027t sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `\u003cRichTextField\u003e` by a custom field doing sanitization by hand.",
      "id": "GSD-2023-25572",
      "modified": "2023-12-13T01:20:40.004009Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-25572",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "react-admin",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 3.19.12"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 4.0.0, \u003c 4.7.6"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "marmelab"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `\u003cRichTextField\u003e` are affected. `\u003cRichTextField\u003e` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn\u0027t sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `\u003cRichTextField\u003e` by a custom field doing sanitization by hand."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-79",
                "lang": "eng",
                "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v",
            "refsource": "MISC",
            "url": "https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v"
          },
          {
            "name": "https://github.com/marmelab/react-admin/pull/8644",
            "refsource": "MISC",
            "url": "https://github.com/marmelab/react-admin/pull/8644"
          },
          {
            "name": "https://github.com/marmelab/react-admin/pull/8645",
            "refsource": "MISC",
            "url": "https://github.com/marmelab/react-admin/pull/8645"
          },
          {
            "name": "https://github.com/marmelab/react-admin/releases/tag/v3.19.12",
            "refsource": "MISC",
            "url": "https://github.com/marmelab/react-admin/releases/tag/v3.19.12"
          },
          {
            "name": "https://github.com/marmelab/react-admin/releases/tag/v4.7.6",
            "refsource": "MISC",
            "url": "https://github.com/marmelab/react-admin/releases/tag/v4.7.6"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-5jcr-82fh-339v",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c3.9.12||\u003e=4.0.0 \u003c4.7.6",
          "affected_versions": "All versions before 3.9.12, all versions starting from 4.0.0 before 4.7.6",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2023-02-22",
          "description": "react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, is vulnerable to cross-site scripting. All React applications built with react-admin and using the `\u003cRichTextField\u003e` are affected. `\u003cRichTextField\u003e` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn\u0027t sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `\u003cRichTextField\u003e` by a custom field doing sanitization by hand.",
          "fixed_versions": [
            "3.10.0",
            "4.7.6"
          ],
          "identifier": "CVE-2023-25572",
          "identifiers": [
            "CVE-2023-25572",
            "GHSA-5jcr-82fh-339v"
          ],
          "not_impacted": "All versions starting from 3.9.12 before 4.0.0, all versions starting from 4.7.6",
          "package_slug": "npm/ra-ui-materialui",
          "pubdate": "2023-02-13",
          "solution": "Upgrade to versions 3.10.0, 4.7.6 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-25572",
            "https://github.com/marmelab/react-admin/pull/8644",
            "https://github.com/marmelab/react-admin/pull/8645",
            "https://github.com/marmelab/react-admin/releases/tag/v3.19.12",
            "https://github.com/marmelab/react-admin/releases/tag/v4.7.6",
            "https://github.com/advisories/GHSA-5jcr-82fh-339v"
          ],
          "uuid": "0d798ce6-3037-4443-a332-06d6b1dd4a67"
        },
        {
          "affected_range": "\u003c3.9.12||\u003e=4.0.0 \u003c4.7.6",
          "affected_versions": "All versions before 3.9.12, all versions starting from 4.0.0 before 4.7.6",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2023-02-22",
          "description": "react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, is vulnerable to cross-site scripting. All React applications built with react-admin and using the `\u003cRichTextField\u003e` are affected. `\u003cRichTextField\u003e` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn\u0027t sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `\u003cRichTextField\u003e` by a custom field doing sanitization by hand.",
          "fixed_versions": [
            "3.10.0",
            "4.7.6"
          ],
          "identifier": "CVE-2023-25572",
          "identifiers": [
            "CVE-2023-25572",
            "GHSA-5jcr-82fh-339v"
          ],
          "not_impacted": "All versions starting from 3.9.12 before 4.0.0, all versions starting from 4.7.6",
          "package_slug": "npm/react-admin",
          "pubdate": "2023-02-13",
          "solution": "Upgrade to versions 3.10.0, 4.7.6 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-25572",
            "https://github.com/marmelab/react-admin/pull/8644",
            "https://github.com/marmelab/react-admin/pull/8645",
            "https://github.com/marmelab/react-admin/releases/tag/v3.19.12",
            "https://github.com/marmelab/react-admin/releases/tag/v4.7.6",
            "https://github.com/advisories/GHSA-5jcr-82fh-339v"
          ],
          "uuid": "8626b7d5-8f04-444c-8260-88fec82d009a"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:marmelab:react-admin:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.7.6",
                "versionStartIncluding": "4.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:marmelab:react-admin:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.9.12",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:marmelab:ra-ui-materialui:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.9.12",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:marmelab:ra-ui-materialui:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.7.6",
                "versionStartIncluding": "4.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-25572"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `\u003cRichTextField\u003e` are affected. `\u003cRichTextField\u003e` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn\u0027t sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `\u003cRichTextField\u003e` by a custom field doing sanitization by hand."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/marmelab/react-admin/releases/tag/v4.7.6",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/marmelab/react-admin/releases/tag/v4.7.6"
            },
            {
              "name": "https://github.com/marmelab/react-admin/pull/8645",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/marmelab/react-admin/pull/8645"
            },
            {
              "name": "https://github.com/marmelab/react-admin/pull/8644",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch"
              ],
              "url": "https://github.com/marmelab/react-admin/pull/8644"
            },
            {
              "name": "https://github.com/marmelab/react-admin/releases/tag/v3.19.12",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/marmelab/react-admin/releases/tag/v3.19.12"
            },
            {
              "name": "https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2023-02-22T20:12Z",
      "publishedDate": "2023-02-13T21:15Z"
    }
  }
}

GHSA-5JCR-82FH-339V

Vulnerability from github – Published: 2023-02-14 00:32 – Updated: 2023-02-14 00:32

Summary

Cross-Site-Scripting attack on `<RichTextField>`

Details

Impact

All React applications built with react-admin and using the <RichTextField> are affected.

<RichTextField> outputs the field value using dangerouslySetInnerHTML without client-side sanitization. If the data isn't sanitized server-side, this opens a possible Cross-Site-Scripting (XSS) attack.

Proof of concept:

import { RichTextField } from 'react-admin';

const record = {
    id: 1,
    body: `
<p>
<strong>War and Peace</strong> is a novel by the Russian author
<a href="https://en.wikipedia.org/wiki/Leo_Tolstoy" onclick="document.getElementById('stolendata').value='credentials';">Leo Tolstoy</a>,
published serially, then in its entirety in 1869.
</p>
<p onmouseover="document.getElementById('stolendata').value='credentials';">
It is regarded as one of Tolstoy's finest literary achievements and remains a classic of world literature.
</p>
<img src="x" onerror="document.getElementById('stolendata').value='credentials';" />
`,
};

const VulnerableRichTextField = () => (
    <>
        <RichTextField record={record} source="body" />
        <hr />
        <h4>Stolen data:</h4>
        <input id="stolendata" defaultValue="none" />
    </>
);

Patches

Versions 3.19.12 and 4.7.6 now use DOMPurify to escape the HTML before outputting it with React and dangerouslySetInnerHTML

Workarounds

You don't need to upgrade if you already sanitize HTML data server-side.

Otherwise, you'll have to replace the <RichTextField> by a custom field doing sanitization by hand:

// react-admin v4
import * as React from 'react';
import { memo } from 'react';
import PropTypes from 'prop-types';
import get from 'lodash/get';
import Typography from '@material-ui/core/Typography';
import { useRecordContext, sanitizeFieldRestProps, fieldPropTypes } from 'react-admin';
import purify from 'dompurify';

export const removeTags = (input) =>
    input ? input.replace(/<[^>]+>/gm, '') : '';

const RichTextField = memo(
    props => {
        const { className, emptyText, source, stripTags, ...rest } = props;
        const record = useRecordContext(props);
        const value = get(record, source);

        return (
            <Typography
                className={className}
                variant="body2"
                component="span"
                {...sanitizeFieldRestProps(rest)}
            >
                {value == null && emptyText ? (
                    emptyText
                ) : stripTags ? (
                    removeTags(value)
                ) : (
                    <span
                        dangerouslySetInnerHTML={{
                            __html: purify.sanitize(value),
                        }}
                    />
                )}
            </Typography>
        );
    }
);

RichTextField.defaultProps = {
    addLabel: true,
    stripTags: false,
};

RichTextField.propTypes = {
    // @ts-ignore
    ...Typography.propTypes,
    ...fieldPropTypes,
    stripTags: PropTypes.bool,
};

RichTextField.displayName = 'RichTextField';

export default RichTextField;

References

https://github.com/marmelab/react-admin/pull/8644, https://github.com/marmelab/react-admin/pull/8645

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-admin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.19.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-admin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.7.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ra-ui-materialui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.7.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ra-ui-materialui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.19.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25572"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-14T00:32:21Z",
    "nvd_published_at": "2023-02-13T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAll React applications built with react-admin and using the `\u003cRichTextField\u003e` are affected. \n\n`\u003cRichTextField\u003e` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn\u0027t sanitized server-side, this opens a possible Cross-Site-Scripting (XSS) attack. \n\nProof of concept:\n\n```jsx\nimport { RichTextField } from \u0027react-admin\u0027;\n\nconst record = {\n    id: 1,\n    body: `\n\u003cp\u003e\n\u003cstrong\u003eWar and Peace\u003c/strong\u003e is a novel by the Russian author\n\u003ca href=\"https://en.wikipedia.org/wiki/Leo_Tolstoy\" onclick=\"document.getElementById(\u0027stolendata\u0027).value=\u0027credentials\u0027;\"\u003eLeo Tolstoy\u003c/a\u003e,\npublished serially, then in its entirety in 1869.\n\u003c/p\u003e\n\u003cp onmouseover=\"document.getElementById(\u0027stolendata\u0027).value=\u0027credentials\u0027;\"\u003e\nIt is regarded as one of Tolstoy\u0027s finest literary achievements and remains a classic of world literature.\n\u003c/p\u003e\n\u003cimg src=\"x\" onerror=\"document.getElementById(\u0027stolendata\u0027).value=\u0027credentials\u0027;\" /\u003e\n`,\n};\n\nconst VulnerableRichTextField = () =\u003e (\n    \u003c\u003e\n        \u003cRichTextField record={record} source=\"body\" /\u003e\n        \u003chr /\u003e\n        \u003ch4\u003eStolen data:\u003c/h4\u003e\n        \u003cinput id=\"stolendata\" defaultValue=\"none\" /\u003e\n    \u003c/\u003e\n);\n```\n\n### Patches\n\nVersions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`\n\n### Workarounds\n\nYou don\u0027t need to upgrade if you already sanitize HTML data server-side. \n\nOtherwise, you\u0027ll have to replace the `\u003cRichTextField\u003e` by a custom field doing sanitization by hand:\n\n```tsx\n// react-admin v4\nimport * as React from \u0027react\u0027;\nimport { memo } from \u0027react\u0027;\nimport PropTypes from \u0027prop-types\u0027;\nimport get from \u0027lodash/get\u0027;\nimport Typography from \u0027@material-ui/core/Typography\u0027;\nimport { useRecordContext, sanitizeFieldRestProps, fieldPropTypes } from \u0027react-admin\u0027;\nimport purify from \u0027dompurify\u0027;\n\nexport const removeTags = (input) =\u003e\n    input ? input.replace(/\u003c[^\u003e]+\u003e/gm, \u0027\u0027) : \u0027\u0027;\n\nconst RichTextField = memo(\n    props =\u003e {\n        const { className, emptyText, source, stripTags, ...rest } = props;\n        const record = useRecordContext(props);\n        const value = get(record, source);\n\n        return (\n            \u003cTypography\n                className={className}\n                variant=\"body2\"\n                component=\"span\"\n                {...sanitizeFieldRestProps(rest)}\n            \u003e\n                {value == null \u0026\u0026 emptyText ? (\n                    emptyText\n                ) : stripTags ? (\n                    removeTags(value)\n                ) : (\n                    \u003cspan\n                        dangerouslySetInnerHTML={{\n                            __html: purify.sanitize(value),\n                        }}\n                    /\u003e\n                )}\n            \u003c/Typography\u003e\n        );\n    }\n);\n\nRichTextField.defaultProps = {\n    addLabel: true,\n    stripTags: false,\n};\n\nRichTextField.propTypes = {\n    // @ts-ignore\n    ...Typography.propTypes,\n    ...fieldPropTypes,\n    stripTags: PropTypes.bool,\n};\n\nRichTextField.displayName = \u0027RichTextField\u0027;\n\nexport default RichTextField;\n```\n\n### References\n\nhttps://github.com/marmelab/react-admin/pull/8644, https://github.com/marmelab/react-admin/pull/8645\n",
  "id": "GHSA-5jcr-82fh-339v",
  "modified": "2023-02-14T00:32:21Z",
  "published": "2023-02-14T00:32:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25572"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marmelab/react-admin/pull/8644"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marmelab/react-admin/pull/8645"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/marmelab/react-admin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marmelab/react-admin/releases/tag/v3.19.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marmelab/react-admin/releases/tag/v4.7.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-Site-Scripting attack on `\u003cRichTextField\u003e`"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-25572 (GCVE-0-2023-25572)

FKIE_CVE-2023-25572

GSD-2023-25572

GHSA-5JCR-82FH-339V

Impact

Patches

Workarounds

References

Tags

Sightings

Nomenclature