CVE-2021-31712

Опубликовано: 24 апр. 2021

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

react-draft-wysiwyg (aka React Draft Wysiwyg) before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS.

Ссылки

https://github.com/jpuri/react-draft-wysiwyg/commit/d2faeb612b53f10dff048de7dc57e1f4044b5380
Patch
Third Party Advisory
https://github.com/jpuri/react-draft-wysiwyg/issues/1102
Exploit
Issue Tracking
Third Party Advisory
https://github.com/jpuri/react-draft-wysiwyg/pull/1104
Patch
Third Party Advisory
https://github.com/jpuri/react-draft-wysiwyg/commit/d2faeb612b53f10dff048de7dc57e1f4044b5380
Patch
Third Party Advisory
https://github.com/jpuri/react-draft-wysiwyg/issues/1102
Exploit
Issue Tracking
Third Party Advisory
https://github.com/jpuri/react-draft-wysiwyg/pull/1104
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:react_draft_wysiwyg_project:react_draft_wysiwyg:*:*:*:*:*:node.js:*:*

Версия до 1.14.6 (исключая)

EPSS

Процентиль: 49%

0.00263

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-qcg2-h349-vwm3