CVE-2023-41167

@webiny/react-rich-text-renderer before 5.37.2 allows XSS attacks by content managers. This is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. Webiny is an open-source serverless enterprise CMS. The @webiny/react-rich-text-renderer package depends on the editor.js rich text editor to handle rich text content. The CMS stores rich text content from the editor.js into the database. When the @webiny/react-rich-text-renderer is used to render such content, it uses the dangerouslySetInnerHTML prop, without applying HTML sanitization. The issue arises when an actor, who in this context would specifically be a content manager with access to the CMS, inserts a malicious script as part of the user-defined input. This script is then injected and executed within the user's browser when the main page or admin page loads.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/webiny/webiny-js/security/advisories/GHSA-3x59-vrmc-5mx6	Vendor Advisory
https://webiny.com	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:webiny:webiny:*:*:*:*:*:node.js:*:*

History

31 Aug 2023, 16:42

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/webiny/webiny-js/security/advisories/GHSA-3x59-vrmc-5mx6 -~~	(MISC) https://github.com/webiny/webiny-js/security/advisories/GHSA-3x59-vrmc-5mx6 - Vendor Advisory
References	~~(MISC) https://webiny.com -~~	(MISC) https://webiny.com - Product
First Time		Webiny Webiny webiny
CPE		cpe:2.3:a:webiny:webiny::::::node.js::*
CWE		CWE-79
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.8

25 Aug 2023, 14:45

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-25 14:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-41167

Mitre link : CVE-2023-41167

CVE.ORG link : CVE-2023-41167

JSON object : View

Products Affected

webiny

webiny

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-41167", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2023-08-25T14:15:10.150", "references": [{"url": "https://github.com/webiny/webiny-js/security/advisories/GHSA-3x59-vrmc-5mx6", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://webiny.com", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "@webiny/react-rich-text-renderer before 5.37.2 allows XSS attacks by content managers. This is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. Webiny is an open-source serverless enterprise CMS. The @webiny/react-rich-text-renderer package depends on the editor.js rich text editor to handle rich text content. The CMS stores rich text content from the editor.js into the database. When the @webiny/react-rich-text-renderer is used to render such content, it uses the dangerouslySetInnerHTML prop, without applying HTML sanitization. The issue arises when an actor, who in this context would specifically be a content manager with access to the CMS, inserts a malicious script as part of the user-defined input. This script is then injected and executed within the user's browser when the main page or admin page loads."}, {"lang": "es", "value": "@webiny/react-rich-text-renderer antes de 5.37.2 permite ataques Cross-Site Scripting (XSS) por parte de gestores de contenido. Se trata de un componente react para renderizar datos procedentes de Webiny Headless CMS y Webiny Form Builder. Webiny es un CMS empresarial sin servidor de c\u00f3digo abierto. El paquete @webiny/react-rich-text-renderer depende del editor de texto enriquecido editor.js para manejar contenido de texto enriquecido. El CMS almacena el contenido de texto enriquecido del editor.js en la base de datos. Cuando el @webiny/react-rich-text-renderer se utiliza para renderizar dicho contenido, utiliza la prop peligrosamenteSetInnerHTML, sin aplicar la limpieza HTML. El problema surge cuando un actor, que en este contexto ser\u00eda espec\u00edficamente un gestor de contenidos con acceso al CMS, inserta un script malicioso como parte de la entrada definida por el usuario. Este script se inyecta y ejecuta en el navegador del usuario cuando se carga la p\u00e1gina principal o la p\u00e1gina de administraci\u00f3n."}], "lastModified": "2023-08-31T16:42:22.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:webiny:webiny:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "DE1F8F81-5632-48C7-A936-6DFD054D1D37", "versionEndExcluding": "5.37.2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}