search

ApryseSDK / webviewer-ui

WebViewer UI built in React
Other
416 stars 354 forks source link

[SECURITY] CVE-2023-26149 quill-mention #1055

Closed LarsNielsenEG closed 4 months ago

LarsNielsenEG commented 7 months ago

Webviewer-ui uses quill-mention in version "^3.1.0", which is vulnerable to XSS.

Recommendation is to upgrade to ^4.0.0

see https://github.com/advisories/GHSA-jgw5-rp4p-qhp6

CorreyL commented 7 months ago

Hello @LarsNielsenEG,

Correy here from Apryse's Security team, nice to e-meet you, thank you for raising this matter.

The WebViewer team has prioritized this library to be upgraded and tested in the next development sprint.

In the meantime, so long as the setUserData API is not used, or is only provided data from a trusted source, then the risk of this CVE is minimized.

Nevertheless, Apryse recognizes the importance of keeping third-party libraries up-to-date, and is prioritizing resources to this matter accordingly.

We will provide an update on this issue once the work has been completed.

Please let me know if you have any follow-up questions in the meantime.

Best regards, Correy

DontNukeDevelop commented 6 months ago

Any news on when the fix will deployed and released?

CorreyL commented 6 months ago

Hello @DontNukeDevelop,

Work is still on track for the library to be upgraded and tested in the current development sprint.

In the meantime, if your team is utilizing the setUserData API that this issue only pertains to, one mitigating measure your team can take is to sanitize all string input to the setUserData function with a sanitization library such as DOMPurify:

https://www.npmjs.com/package/dompurify

So one possible set up could be:

const userData = [
  {
    value: DOMPurify.sanitize(/* user first and last name string */),
    email: DOMPurify.sanitize(/* user e-mail address */),
  },
  // Perform same operation on all objects in userData array
];

instance.UI.mentions.setUserData(userData);

Nevertheless, Apryse recognizes the importance of keeping third-party libraries up-to-date, and is prioritizing resources to this matter accordingly.

We will provide an update on this issue once the work has been completed.

Please let me know if you have any follow-up questions in the meantime.

Best regards, Correy

DontNukeDevelop commented 6 months ago

Thank you for your response, we have temporarily sanitized the user input.

CorreyL commented 6 months ago

@DontNukeDevelop @LarsNielsenEG quill-mention has been updated to the next major version of 4.1.0 that has no known vulnerabilities as of this writing.

This update will be included in the next release of WebViewer, which is currently set for mid-June. In the meantime, the previously suggested DOMPurify.sanitize method will provide the same result as the upgrade.

Please let me know if you have any follow-up questions in the meantime.

Best regards, Correy

CorreyL commented 4 months ago

quill-mention has been upgraded as of the WebViewer 10.10.0 release, resolving this issue.