SCA: security update for @udecode/plate-media (GHSA-h3pq-667x-r789)

high Tenable Self-Hosted Container Security Plugin ID 415438

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass
custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows
`javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and
consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default
parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. `@udecode/plate-media` 36.0.10 resolves
this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the `embed` property
returned from `useMediaState`. In addition, the `url` property returned from `useMediaState` has been
renamed to `unsafeUrl` to indicate that it has not been sanitised. The `url` property on `element` is also
unsafe, but has not been renamed. If you're using either of these properties directly, you will still need
to validate the URL yourself. Users are advised to upgrade. Users unable to upgrade should ensure that any
custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url`
property of their return values. If `url` is consumed directly, validate the URL protocol before passing
it to the `iframe` element. (CVE-2024-40631)

See Also

https://github.com/advisories/GHSA-h3pq-667x-r789

Plugin Details

Severity: High

ID: 415438

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.2

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N

CVSS Score Source: CVE-2024-40631

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.4

Threat Score: 5.8

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/15/2024

Vulnerability Publication Date: 7/15/2024

Reference Information

CVE: CVE-2024-40631

cwe: CWE-79