Cross-site Scripting (XSS) Vulnerability in react-draft-wysiwyg (Version 1.15.0)

[Koyyataman]

Hello,

I’ve encountered a Cross-site Scripting (XSS) vulnerability in the react-draft-wysiwyg package, specifically in version 1.15.0. The vulnerability occurs when using the Embedded button, which can lead to malicious payloads being injected into the <iframe> tag.

Details:
Vulnerability Type: Cross-site Scripting (XSS).

Package Version Affected: react-draft-wysiwyg@1.15.0.

Introduced Through:

client@0.0.0.0.0 > react-draft-wysiwyg@1.15.0.

CVSS Score:

Snyk: CVSS v4.0: 5.1 - Medium Severity, CVSS v3.1: 6.1 - Medium Severity.

NVD: Not yet available.

Exploit Maturity: Proof of Concept.

Impact:
This vulnerability allows an attacker to inject malicious scripts into an iframe tag, which can then be executed within the context of the application. This can potentially lead to unauthorized access to sensitive data, session hijacking, or other malicious actions.

Fix:
Currently, there is no remediation path available for this issue in the affected version.

Request:
Are there any ongoing efforts to address this XSS vulnerability in future releases of react-draft-wysiwyg?

If a patch or workaround is available, please share the details.

Thank you for your time and consideration. Looking forward to the community's feedback!