Cross Site Scripting (XSS)

@udecode/plate-media is vulnerable to Cross Site Scripting XSS. The vulnerability is due to lack of proper URL sanitization in MediaEmbedElement and custom urlParsers and direct consumption of the url property, which allows an attacker to embed malicious URLs using javascript:, data:, or vbscript...

GHSA-H3PQ-667X-R789 Plate media plugins has a XSS in media embed element when using custom URL parsers

Impact Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and instead consume the url property directly may also be...

Plate media plugins has a XSS in media embed element when using custom URL parsers

Impact Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and instead consume the url property directly may also be...

CVE-2024-40631 Cross-site Scripting (XSS) in media embed element when using custom URL parsers in plate media

Plate media is an open source, rich-text editor for React. Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and consume...