CVE-2023-34245 HIGH

CVE-2023-34245: Cross site scripting (XSS) in @udecode/plate-link

Vendor Udecode

Product plate

Weakness CWE-79 · XSS

Published June 9, 2023

Last update January 6, 2025

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

@udecode/plate-link is the link handler for the udecode/plate rich-text editor plugin system for Slate & React. Affected versions of the link plugin and link UI component do not sanitize URLs to prevent use of the `javascript:` scheme. As a result, links with JavaScript URLs can be inserted into the Plate editor through various means, including opening or pasting malicious content. `@udecode/plate-link` 20.0.0 resolves this issue by introducing an `allowedSchemes` option to the link plugin, defaulting to `['http', 'https', 'mailto', 'tel']`. URLs using a scheme that isn't in this list will not be rendered to the DOM. Users are advised to upgrade. Users unable to upgrade are advised to override the `LinkElement` and `PlateFloatingLink` components with implementations that explicitly check the URL scheme before rendering any anchor elements.

Key dates

02Disclosure timeline

June 9, 2023 CVE published

January 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-34245

Related vulnerabilities

CVE-2023-34245: Cross site scripting (XSS) in @udecode/plate-link

01Description

02Disclosure timeline

03References

04Related CVE