Homepage

@udecode/plate-media@16.1.0 vulnerabilities

Plate Media plugin

  • latest version

    49.0.0

  • latest non vulnerable version

    49.0.0

  • first published

    3 years ago

  • latest version published

    4 months ago

  • deprecated

    Package is deprecated

  • licenses detected

  • View plate-media package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the @udecode/plate-media package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Cross-site Scripting (XSS)

    @udecode/plate-media is a Plate Media plugin

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook, if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. An attacker can execute arbitrary scripts in the context of the user's browser.

    Note:

    1. Editors that do not use urlParsers and instead consume the url property directly may also be vulnerable if the URL is not sanitised.

    2. The default parsers parseTwitterUrl and parseVideoUrl are not affected.

    How to fix Cross-site Scripting (XSS)?

    Upgrade @udecode/plate-media to version 36.0.10 or higher.

    <36.0.10
    Go back to all versions of this package