CVE-2023-41167

CVSS 3.1 Score 4.8 of 10 (medium)

Details

Published Aug 25, 2023
Updated: Aug 31, 2023
CWE ID 79

Summary

CVE-2023-41167 is a vulnerability affecting the @webiny/react-rich-text-renderer package before version 5.37.2. This component, used for rendering rich text data from Webiny Headless CMS and Form Builder, fails to apply HTML sanitization when using the dangerouslySetInnerHTML prop. By exploiting this weakness, content managers with malicious intent can inject and execute malicious scripts through the rich text content, posing a significant XSS risk for users. Webiny, an open-source serverless enterprise CMS, stores rich text data from editor.js in the database, which is then rendered using the vulnerable component. This issue can lead to scripts being executed in users' browsers when loading the main page or admin panel.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share