Homepage
About Snyk

@udecode/plate-media@34.1.0 vulnerabilities

Plate Media plugin

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the @udecode/plate-media package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Cross-site Scripting (XSS)

@udecode/plate-media is a Plate Media plugin

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook, if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. An attacker can execute arbitrary scripts in the context of the user's browser.

Note:

  1. Editors that do not use urlParsers and instead consume the url property directly may also be vulnerable if the URL is not sanitised.

  2. The default parsers parseTwitterUrl and parseVideoUrl are not affected.

How to fix Cross-site Scripting (XSS)?

Upgrade @udecode/plate-media to version 36.0.10 or higher.

<36.0.10
Go back to all versions of this package