PT-2021-19480 · Unknown · React-Draft-Wysiwyg

Fariskhi Vidyan

Published

2021-04-24

Updated

2021-09-09

CVE-2021-31712

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions react-draft-wysiwyg versions prior to 1.14.6

Description The issue allows a javascript: URI in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS.

Recommendations For versions prior to 1.14.6, update to version 1.14.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of the link decorator in decorators/Link/index.js to minimize the risk of exploitation. Avoid using the javascript: URI in the Link Target until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-31712

GHSA-QCG2-H349-VWM3

Affected Products

React-Draft-Wysiwyg

PT-2021-19480 · Unknown · React-Draft-Wysiwyg

CVE-2021-31712

Weakness Enumeration

Related Identifiers

Affected Products

References · 8