CVE-2024-43372

Name of the Vulnerable Software and Affected Versions ezplatform-richtext versions prior to the patched version fieldtype-richtext versions prior to the patched version

Description The validator for the RichText fieldtype blocklists javascript: and vbscript: in links to prevent XSS, but this check can be circumvented using upper case, leaving other options open. Content editing permissions for RichText content are required to exploit this issue, which typically means Editor role or higher. The fix implements an allowlist instead, which allows only approved link protocols, and the new check is case insensitive.

Recommendations For ezplatform-richtext, update to a patched version to resolve the issue. For fieldtype-richtext, update to a patched version to resolve the issue. As a temporary workaround, consider restricting the use of the RichText fieldtype until a patch is available. Avoid using upper case to circumvent the blocklist check in the RichText fieldtype until the issue is resolved.