CVE-2024-40631: 
JavaScript vulnerability analysis and mitigation

Plate media, an open source rich-text editor for React, contains a cross-site scripting (XSS) vulnerability in versions prior to 36.0.10. The vulnerability affects editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook, or directly consume the url property without sanitization. The vulnerability was discovered and disclosed on July 15, 2024 (GitHub Advisory).

The vulnerability occurs when custom parsers allow javascript:, data: or vbscript: URLs to be embedded through the useMediaState hook. The default parsers parseTwitterUrl and parseVideoUrl are not affected. The issue has been assigned a CVSS v3.1 score of 8.1 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating high impact on confidentiality and integrity (GitHub Advisory).

If exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code through XSS attacks when malicious URLs are processed by the editor. This could lead to unauthorized access to sensitive information or manipulation of web content (GitHub Advisory).

The vulnerability has been patched in version 36.0.10 of @udecode/plate-media by restricting URL parsing to only allow HTTP and HTTPS protocols. For users unable to upgrade, it is recommended to ensure that custom urlParsers do not allow javascript:, data: or vbscript: URLs in their return values. Additionally, if consuming the url property directly, validate the URL protocol before passing it to the iframe element (GitHub Advisory, Fortiguard).