CVE-2023-25572

Name of the Vulnerable Software and Affected Versions react-admin versions prior to 3.19.12 and 4.7.6 ra-ui-materialui versions prior to 3.19.12 and 4.7.6

Description The issue affects all React applications built with react-admin and using the <RichTextField>. This component outputs the field value using dangerouslySetInnerHTML without client-side sanitization, which can lead to a cross-site scripting (XSS) attack if the data is not sanitized server-side.

Recommendations For versions prior to 3.19.12 and 4.7.6, update to version 3.19.12 or 4.7.6, which use DOMPurify to escape the HTML before outputting it with React and dangerouslySetInnerHTML. As a temporary workaround, users may replace the <RichTextField> with a custom field that performs sanitization manually. If you already sanitize HTML data server-side, you do not need to upgrade.