GHSA-gm68-572p-q28r: 
JavaScript vulnerability analysis and mitigation

The vulnerability (GHSA-gm68-572p-q28r) affects the @vendure/admin-ui-plugin package, specifically versions prior to 2.0.3. Discovered and disclosed in July 2023, this authenticated Cross-site Scripting (XSS) vulnerability impacts the admin UI's description input fields, including areas such as inventory/collection catalog, shipping methods, and promotions (GitHub Advisory).

The vulnerability stems from insufficient HTML sanitization in the WYSIWYG editor. While the editor provides limited customization through its interface, the underlying system allows arbitrary HTML to be saved and rendered when request data is modified outside the UI. This creates a potential XSS attack vector when viewing affected pages. The issue was assigned a Moderate severity rating and is tracked as CWE-79 (GitHub Advisory).

The vulnerability enables privilege escalation through XSS attacks. An attacker with access to description input fields can inject malicious code that, when viewed by other users, executes arbitrary JavaScript code in their browser context. This allows the attacker to perform actions with the privileges of any user who views the compromised page (GitHub Advisory).

The vulnerability has been patched in version 2.0.3 of the @vendure/admin-ui-plugin. The fix includes preventing XSS in the rich text editor and implementing proper sanitization for iframe srcdoc attributes (Vendure Changelog).