Vulnerability	Vulnerable Version
H Cross-site Scripting (XSS) @udecode/plate-media is a Plate Media plugin Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook, if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. An attacker can execute arbitrary scripts in the context of the user's browser. Note: Editors that do not use `urlParsers` and instead consume the url property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. How to fix Cross-site Scripting (XSS)? Upgrade `@udecode/plate-media` to version 36.0.10 or higher.	<36.0.10

Cross-site Scripting (XSS)

@udecode/plate-media is a Plate Media plugin

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook, if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. An attacker can execute arbitrary scripts in the context of the user's browser.

Note:

Editors that do not use urlParsers and instead consume the url property directly may also be vulnerable if the URL is not sanitised.
The default parsers parseTwitterUrl and parseVideoUrl are not affected.

How to fix Cross-site Scripting (XSS)?

Upgrade @udecode/plate-media to version 36.0.10 or higher.

<36.0.10

Go back to all versions of this package