5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
35.5%
All React applications built with react-admin and using the <RichTextField>
are affected.
<RichTextField>
outputs the field value using dangerouslySetInnerHTML
without client-side sanitization. If the data isn’t sanitized server-side, this opens a possible Cross-Site-Scripting (XSS) attack.
Proof of concept:
import { RichTextField } from 'react-admin';
const record = {
id: 1,
body: `
<p>
<strong>War and Peace</strong> is a novel by the Russian author
<a href="https://en.wikipedia.org/wiki/Leo_Tolstoy">Leo Tolstoy</a>,
published serially, then in its entirety in 1869.
</p>
<p>
It is regarded as one of Tolstoy's finest literary achievements and remains a classic of world literature.
</p>
<img src />
`,
};
const VulnerableRichTextField = () => (
<>
<RichTextField record={record} source="body" />
<hr />
<h4>Stolen data:</h4>
<input id="stolendata" defaultValue="none" />
</>
);
Versions 3.19.12 and 4.7.6 now use DOMPurify
to escape the HTML before outputting it with React and dangerouslySetInnerHTML
You don’t need to upgrade if you already sanitize HTML data server-side.
Otherwise, you’ll have to replace the <RichTextField>
by a custom field doing sanitization by hand:
// react-admin v4
import * as React from 'react';
import { memo } from 'react';
import PropTypes from 'prop-types';
import get from 'lodash/get';
import Typography from '@material-ui/core/Typography';
import { useRecordContext, sanitizeFieldRestProps, fieldPropTypes } from 'react-admin';
import purify from 'dompurify';
export const removeTags = (input) =>
input ? input.replace(/<[^>]+>/gm, '') : '';
const RichTextField = memo(
props => {
const { className, emptyText, source, stripTags, ...rest } = props;
const record = useRecordContext(props);
const value = get(record, source);
return (
<Typography
className={className}
variant="body2"
component="span"
{...sanitizeFieldRestProps(rest)}
>
{value == null && emptyText ? (
emptyText
) : stripTags ? (
removeTags(value)
) : (
<span />
)}
</Typography>
);
}
);
RichTextField.defaultProps = {
addLabel: true,
stripTags: false,
};
RichTextField.propTypes = {
// @ts-ignore
...Typography.propTypes,
...fieldPropTypes,
stripTags: PropTypes.bool,
};
RichTextField.displayName = 'RichTextField';
export default RichTextField;
https://github.com/marmelab/react-admin/pull/8644, https://github.com/marmelab/react-admin/pull/8645
CPE | Name | Operator | Version |
---|---|---|---|
ra-ui-materialui | lt | 3.19.12 | |
ra-ui-materialui | lt | 4.7.6 | |
react-admin | lt | 4.7.6 | |
react-admin | lt | 3.19.12 |
github.com/advisories/GHSA-5jcr-82fh-339v
github.com/marmelab/react-admin/pull/8644
github.com/marmelab/react-admin/pull/8645
github.com/marmelab/react-admin/releases/tag/v3.19.12
github.com/marmelab/react-admin/releases/tag/v4.7.6
github.com/marmelab/react-admin/security/advisories/GHSA-5jcr-82fh-339v
nvd.nist.gov/vuln/detail/CVE-2023-25572
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
35.5%