CVE-2023-41167

Name of the Vulnerable Software and Affected Versions @webiny/react-rich-text-renderer versions prior to 5.37.2

Description The issue arises when a content manager with access to the CMS inserts a malicious script as part of the user-defined input, which is then injected and executed within the user's browser when the main page or admin page loads. This is due to the @webiny/react-rich-text-renderer using the dangerouslySetInnerHTML prop without applying HTML sanitization. The @webiny/react-rich-text-renderer package depends on the editor.js rich text editor to handle rich text content.

Recommendations Update to Webiny version 5.37.2 to patch this vulnerability. If you're running a Webiny project created prior to 5.35.0 and you're using the legacy rich text editor, update to version 5.37.2. If you've already switched to using the new rich text editor, powered by Lexical editor, no action is required.