Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2024-40631

Disclosure Date: July 15, 2024
CVE-2024-40631
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Plate media is an open source, rich-text editor for React. Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and consume the url property directly may also be vulnerable if the URL is not sanitised. The default parsers parseTwitterUrl and parseVideoUrl are not affected. @udecode/plate-media 36.0.10 resolves this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the embed property returned from useMediaState. In addition, the url property returned from useMediaState has been renamed to unsafeUrl to indicate that it has not been sanitised. The url property on element is also unsafe, but has not been renamed. If you’re using either of these properties directly, you will still need to validate the URL yourself. Users are advised to upgrade. Users unable to upgrade should ensure that any custom urlParsers do not allow javascript:, data: or vbscript: URLs to be returned in the url property of their return values. If url is consumed directly, validate the URL protocol before passing it to the iframe element.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
plate < 36.0.10
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

Products

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis