{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40631", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-08T16:13:15.510Z", "datePublished": "2024-07-15T18:21:16.323Z", "dateUpdated": "2024-08-02T04:33:11.891Z"}, "containers": {"cna": {"title": "Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789"}, {"name": "https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0", "tags": ["x_refsource_MISC"], "url": "https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0"}, {"name": "https://stackoverflow.com/a/43467144", "tags": ["x_refsource_MISC"], "url": "https://stackoverflow.com/a/43467144"}], "affected": [{"vendor": "udecode", "product": "plate", "versions": [{"version": "< 36.0.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-15T18:21:16.323Z"}, "descriptions": [{"lang": "en", "value": "Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. `@udecode/plate-media` 36.0.10 resolves this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the `embed` property returned from `useMediaState`. In addition, the `url` property returned from `useMediaState` has been renamed to `unsafeUrl` to indicate that it has not been sanitised. The `url` property on `element` is also unsafe, but has not been renamed. If you're using either of these properties directly, you will still need to validate the URL yourself. Users are advised to upgrade. Users unable to upgrade should ensure that any custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url` property of their return values. If `url` is consumed directly, validate the URL protocol before passing it to the `iframe` element.\n\n"}], "source": {"advisory": "GHSA-h3pq-667x-r789", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-19T19:49:31.663472Z", "id": "CVE-2024-40631", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T19:49:42.360Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.891Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789"}, {"name": "https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0"}, {"name": "https://stackoverflow.com/a/43467144", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://stackoverflow.com/a/43467144"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40631", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-08T16:13:15.510Z", "datePublished": "2024-07-15T18:21:16.323Z", "dateUpdated": "2024-07-19T19:49:42.360Z"}, "containers": {"cna": {"title": "Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789"}, {"name": "https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0", "tags": ["x_refsource_MISC"], "url": "https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0"}, {"name": "https://stackoverflow.com/a/43467144", "tags": ["x_refsource_MISC"], "url": "https://stackoverflow.com/a/43467144"}], "affected": [{"vendor": "udecode", "product": "plate", "versions": [{"version": "< 36.0.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-15T18:21:16.323Z"}, "descriptions": [{"lang": "en", "value": "Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. `@udecode/plate-media` 36.0.10 resolves this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the `embed` property returned from `useMediaState`. In addition, the `url` property returned from `useMediaState` has been renamed to `unsafeUrl` to indicate that it has not been sanitised. The `url` property on `element` is also unsafe, but has not been renamed. If you're using either of these properties directly, you will still need to validate the URL yourself. Users are advised to upgrade. Users unable to upgrade should ensure that any custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url` property of their return values. If `url` is consumed directly, validate the URL protocol before passing it to the `iframe` element.\n\n"}], "source": {"advisory": "GHSA-h3pq-667x-r789", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40631", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-19T19:49:31.663472Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T19:49:38.002Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. `@udecode/plate-media` 36.0.10 resolves this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the `embed` property returned from `useMediaState`. In addition, the `url` property returned from `useMediaState` has been renamed to `unsafeUrl` to indicate that it has not been sanitised. The `url` property on `element` is also unsafe, but has not been renamed. If you're using either of these properties directly, you will still need to validate the URL yourself. Users are advised to upgrade. Users unable to upgrade should ensure that any custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url` property of their return values. If `url` is consumed directly, validate the URL protocol before passing it to the `iframe` element.\n\n"}, {"lang": "es", "value": "Plate media es un editor de texto enriquecido de c\u00f3digo abierto para React. Los editores que usan `MediaEmbedElement` y pasan `urlParsers` personalizados al enlace `useMediaState` pueden ser vulnerables a XSS si un analizador personalizado permite incrustar URL `javascript:`, `data:` o `vbscript:`. Los editores que no utilizan `urlParsers` y consumen la propiedad `url` directamente tambi\u00e9n pueden ser vulnerables si la URL no est\u00e1 sanitizada. Los analizadores predeterminados `parseTwitterUrl` y `parseVideoUrl` no se ven afectados. `@udecode/plate-media` 36.0.10 resuelve este problema al permitir solo URL HTTP y HTTPS durante el an\u00e1lisis. Esto afecta s\u00f3lo a la propiedad `embed` devuelta por `useMediaState`. Adem\u00e1s, se cambi\u00f3 el nombre de la propiedad `url` devuelta por `useMediaState` a `unsafeUrl` para indicar que no se ha sanitizado. La propiedad `url` en `element` tampoco es segura, pero no se le ha cambiado el nombre. Si utiliza cualquiera de estas propiedades directamente, a\u00fan deber\u00e1 validar la URL usted mismo. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que los `urlParsers` personalizados no permitan que las URL `javascript:`, `data:` o `vbscript:` se devuelvan en la propiedad `url` de sus valores de retorno. Si `url` se consume directamente, valide el protocolo de URL antes de pasarlo al elemento `iframe`."}], "id": "CVE-2024-40631", "lastModified": "2024-07-16T13:43:58.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-15T19:15:03.700", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/udecode/plate/commit/1bc0971774fbfb770780c9bdb94746a6f0f196a0"}, {"source": "security-advisories@github.com", "url": "https://github.com/udecode/plate/security/advisories/GHSA-h3pq-667x-r789"}, {"source": "security-advisories@github.com", "url": "https://stackoverflow.com/a/43467144"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}