CVE-2024-40631 (GCVE-0-2024-40631)
Vulnerability from cvelistv5 – Published: 2024-07-15 18:21 – Updated: 2024-08-02 04:33
VLAI?
Title
Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media
Summary
Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. `@udecode/plate-media` 36.0.10 resolves this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the `embed` property returned from `useMediaState`. In addition, the `url` property returned from `useMediaState` has been renamed to `unsafeUrl` to indicate that it has not been sanitised. The `url` property on `element` is also unsafe, but has not been renamed. If you're using either of these properties directly, you will still need to validate the URL yourself. Users are advised to upgrade. Users unable to upgrade should ensure that any custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url` property of their return values. If `url` is consumed directly, validate the URL protocol before passing it to the `iframe` element.
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40631",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T19:49:31.663472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T19:49:42.360Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.891Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789"
},
{
"name": "https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0"
},
{
"name": "https://stackoverflow.com/a/43467144",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://stackoverflow.com/a/43467144"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "plate",
"vendor": "udecode",
"versions": [
{
"status": "affected",
"version": "\u003c 36.0.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. `@udecode/plate-media` 36.0.10 resolves this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the `embed` property returned from `useMediaState`. In addition, the `url` property returned from `useMediaState` has been renamed to `unsafeUrl` to indicate that it has not been sanitised. The `url` property on `element` is also unsafe, but has not been renamed. If you\u0027re using either of these properties directly, you will still need to validate the URL yourself. Users are advised to upgrade. Users unable to upgrade should ensure that any custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url` property of their return values. If `url` is consumed directly, validate the URL protocol before passing it to the `iframe` element.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T18:21:16.323Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789"
},
{
"name": "https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0"
},
{
"name": "https://stackoverflow.com/a/43467144",
"tags": [
"x_refsource_MISC"
],
"url": "https://stackoverflow.com/a/43467144"
}
],
"source": {
"advisory": "GHSA-h3pq-667x-r789",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40631",
"datePublished": "2024-07-15T18:21:16.323Z",
"dateReserved": "2024-07-08T16:13:15.510Z",
"dateUpdated": "2024-08-02T04:33:11.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-40631",
"date": "2026-04-25",
"epss": "0.00332",
"percentile": "0.56053"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. `@udecode/plate-media` 36.0.10 resolves this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the `embed` property returned from `useMediaState`. In addition, the `url` property returned from `useMediaState` has been renamed to `unsafeUrl` to indicate that it has not been sanitised. The `url` property on `element` is also unsafe, but has not been renamed. If you\u0027re using either of these properties directly, you will still need to validate the URL yourself. Users are advised to upgrade. Users unable to upgrade should ensure that any custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url` property of their return values. If `url` is consumed directly, validate the URL protocol before passing it to the `iframe` element.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Plate media es un editor de texto enriquecido de c\\u00f3digo abierto para React. Los editores que usan `MediaEmbedElement` y pasan `urlParsers` personalizados al enlace `useMediaState` pueden ser vulnerables a XSS si un analizador personalizado permite incrustar URL `javascript:`, `data:` o `vbscript:`. Los editores que no utilizan `urlParsers` y consumen la propiedad `url` directamente tambi\\u00e9n pueden ser vulnerables si la URL no est\\u00e1 sanitizada. Los analizadores predeterminados `parseTwitterUrl` y `parseVideoUrl` no se ven afectados. `@udecode/plate-media` 36.0.10 resuelve este problema al permitir solo URL HTTP y HTTPS durante el an\\u00e1lisis. Esto afecta s\\u00f3lo a la propiedad `embed` devuelta por `useMediaState`. Adem\\u00e1s, se cambi\\u00f3 el nombre de la propiedad `url` devuelta por `useMediaState` a `unsafeUrl` para indicar que no se ha sanitizado. La propiedad `url` en `element` tampoco es segura, pero no se le ha cambiado el nombre. Si utiliza cualquiera de estas propiedades directamente, a\\u00fan deber\\u00e1 validar la URL usted mismo. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que los `urlParsers` personalizados no permitan que las URL `javascript:`, `data:` o `vbscript:` se devuelvan en la propiedad `url` de sus valores de retorno. Si `url` se consume directamente, valide el protocolo de URL antes de pasarlo al elemento `iframe`.\"}]",
"id": "CVE-2024-40631",
"lastModified": "2024-11-21T09:31:23.870",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}]}",
"published": "2024-07-15T19:15:03.700",
"references": "[{\"url\": \"https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://stackoverflow.com/a/43467144\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://stackoverflow.com/a/43467144\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-40631\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-15T19:15:03.700\",\"lastModified\":\"2024-11-21T09:31:23.870\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. `@udecode/plate-media` 36.0.10 resolves this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the `embed` property returned from `useMediaState`. In addition, the `url` property returned from `useMediaState` has been renamed to `unsafeUrl` to indicate that it has not been sanitised. The `url` property on `element` is also unsafe, but has not been renamed. If you\u0027re using either of these properties directly, you will still need to validate the URL yourself. Users are advised to upgrade. Users unable to upgrade should ensure that any custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url` property of their return values. If `url` is consumed directly, validate the URL protocol before passing it to the `iframe` element.\\n\\n\"},{\"lang\":\"es\",\"value\":\"Plate media es un editor de texto enriquecido de c\u00f3digo abierto para React. Los editores que usan `MediaEmbedElement` y pasan `urlParsers` personalizados al enlace `useMediaState` pueden ser vulnerables a XSS si un analizador personalizado permite incrustar URL `javascript:`, `data:` o `vbscript:`. Los editores que no utilizan `urlParsers` y consumen la propiedad `url` directamente tambi\u00e9n pueden ser vulnerables si la URL no est\u00e1 sanitizada. Los analizadores predeterminados `parseTwitterUrl` y `parseVideoUrl` no se ven afectados. `@udecode/plate-media` 36.0.10 resuelve este problema al permitir solo URL HTTP y HTTPS durante el an\u00e1lisis. Esto afecta s\u00f3lo a la propiedad `embed` devuelta por `useMediaState`. Adem\u00e1s, se cambi\u00f3 el nombre de la propiedad `url` devuelta por `useMediaState` a `unsafeUrl` para indicar que no se ha sanitizado. La propiedad `url` en `element` tampoco es segura, pero no se le ha cambiado el nombre. Si utiliza cualquiera de estas propiedades directamente, a\u00fan deber\u00e1 validar la URL usted mismo. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que los `urlParsers` personalizados no permitan que las URL `javascript:`, `data:` o `vbscript:` se devuelvan en la propiedad `url` de sus valores de retorno. Si `url` se consume directamente, valide el protocolo de URL antes de pasarlo al elemento `iframe`.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://stackoverflow.com/a/43467144\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://stackoverflow.com/a/43467144\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-79\", \"lang\": \"en\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789\"}, {\"name\": \"https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0\"}, {\"name\": \"https://stackoverflow.com/a/43467144\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://stackoverflow.com/a/43467144\"}], \"affected\": [{\"vendor\": \"udecode\", \"product\": \"plate\", \"versions\": [{\"version\": \"\u003c 36.0.10\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-15T18:21:16.323Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. `@udecode/plate-media` 36.0.10 resolves this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the `embed` property returned from `useMediaState`. In addition, the `url` property returned from `useMediaState` has been renamed to `unsafeUrl` to indicate that it has not been sanitised. The `url` property on `element` is also unsafe, but has not been renamed. If you\u0027re using either of these properties directly, you will still need to validate the URL yourself. Users are advised to upgrade. Users unable to upgrade should ensure that any custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url` property of their return values. If `url` is consumed directly, validate the URL protocol before passing it to the `iframe` element.\\n\\n\"}], \"source\": {\"advisory\": \"GHSA-h3pq-667x-r789\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-40631\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-19T19:49:31.663472Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-19T19:49:38.002Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2024-40631\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-07-08T16:13:15.510Z\", \"datePublished\": \"2024-07-15T18:21:16.323Z\", \"dateUpdated\": \"2024-07-19T19:49:42.360Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…