CVE-2023-25572

CVSS V2 None CVSS V3 None
Description
react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `<RichTextField>` are affected. `<RichTextField>` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn't sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `<RichTextField>` by a custom field doing sanitization by hand.
Overview
  • CVE ID
  • CVE-2023-25572
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2023-02-13T21:15:15
  • Last Modified Date
  • 2023-02-22T20:12:28
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:marmelab:ra-ui-materialui:*:*:*:*:*:node.js:*:* 1 OR 3.9.12
cpe:2.3:a:marmelab:ra-ui-materialui:*:*:*:*:*:node.js:*:* 1 OR 4.0.0 4.7.6
cpe:2.3:a:marmelab:react-admin:*:*:*:*:*:node.js:*:* 1 OR 3.9.12
cpe:2.3:a:marmelab:react-admin:*:*:*:*:*:node.js:*:* 1 OR 4.0.0 4.7.6
History
Created Old Value New Value Data Type Notes
2023-04-17 07:39:14 Added to TrackCVE
2023-04-17 07:39:16 Weakness Enumeration new