CVE-2024-40631: Plate media plugins has a XSS in media embed element when using custom URL parsers

July 15, 2024

Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and instead consume the url property directly may also be vulnerable if the URL is not sanitised.

The default parsers parseTwitterUrl and parseVideoUrl are not affected.

Examples of vulnerable code:

const { embed } = useMediaState({
urlParsers: [
// Custom parser that does not use an allowlist or validate the URL protocol
(url) => ({ url }),
],
});

return (
<iframe
src={embed!.url}
// ...
/>
);

const { url } = useMediaState();

return (
<iframe
// url property used directly from useMediaState() with no sanitisation
src={url}
// ...
/>
);

const { url } = element;

return (
<iframe
// url property used directly from element with no sanitisation
src={url}
// ...
/>
);

References

Detect and mitigate CVE-2024-40631 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →