CVE-2024-47061

Name of the Vulnerable Software and Affected Versions @udecode/plate-core versions prior to 21.5.1 and 36.5.9

Description The issue concerns a longstanding feature in Plate that allows adding custom DOM attributes to elements or leaves using the attributes property, which can be used for malicious purposes, including cross-site scripting (XSS) and information exposure. This can lead to the exposure of users' IP addresses and whether they have opened a malicious document. The risk is particularly relevant in applications where web requests to arbitrary URLs are not ordinarily allowed. Plate editors using affected versions of @udecode/plate-core are vulnerable to these information exposure attacks via the style attribute and other attributes that can cause web requests to be sent. The most likely DOM attributes to be vulnerable are href and src on links and iframes, respectively.

Recommendations For Plate >= 37, specify the list of allowed attribute names in the node.dangerouslyAllowAttributes plugin configuration option for custom plugins. For Plate < 37, specify the list of allowed attribute names in the dangerouslyAllowAttributes plugin configuration option for custom plugins. If you are unable to upgrade to any of the patched versions, use a tool like patch-package or yarn patch to remove the logic from @udecode/plate-core that adds attributes to nodeProps.