CVE-2024-40631

Name of the Vulnerable Software and Affected Versions @udecode/plate-media versions prior to 36.0.10

Description The issue affects editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook, potentially allowing XSS if a custom parser permits javascript:, data: or vbscript: URLs to be embedded. Editors not using urlParsers and consuming the url property directly may also be vulnerable if the URL is not sanitized. The default parsers parseTwitterUrl and parseVideoUrl are not affected.

Recommendations For versions prior to 36.0.10, ensure that any custom urlParsers do not allow javascript:, data: or vbscript: URLs to be returned in the url property of their return values. If url is consumed directly, validate the URL protocol before passing it to the iframe element. Upgrade to version 36.0.10 to resolve the issue, as it only allows HTTP and HTTPS URLs during parsing. If using the url property directly from useMediaState or element, validate the URL yourself, as these properties are not sanitized.