CVE-2024-47061: 
JavaScript vulnerability analysis and mitigation

CVE-2024-47061 affects Plate, a JavaScript toolkit for developing text editors with Slate framework. The vulnerability was discovered and disclosed on September 20, 2024, affecting @udecode/plate-core versions >=37.0.0,<38.0.6, >=22.0.0,<36.5.9, and <21.5.1. The issue stems from a feature allowing custom DOM attributes to be added to any element or leaf using the attributes property (GitHub Advisory).

The vulnerability involves the ability to add custom DOM attributes to elements through the attributes property, which are passed to node components using the nodeProps prop. The issue has been assigned a CVSS v3.1 base score of 8.3 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. The vulnerability is classified as CWE-79 (Cross-site Scripting) (GitHub Advisory, FortiGuard Labs).

The vulnerability can be exploited for malicious purposes, including cross-site scripting (XSS) attacks and information exposure. Specifically, it can lead to the exposure of users' IP addresses and reveal whether users have opened malicious documents. The risk is particularly significant for applications where web requests to arbitrary URLs are not ordinarily allowed (GitHub Advisory).

Patched versions (38.0.6, 36.5.9, and 21.5.1) have disabled element.attributes and leaf.attributes for most attribute names by default, with exceptions for specific attributes like target, alt, width, height, colspan, and rowspan on certain plugins. For users unable to upgrade, it's recommended to use tools like patch-package or yarn patch to remove the logic from @udecode/plate-core that adds attributes to nodeProps (GitHub Advisory).