Headline
CVE-2023-41167: Open-Source Serverless CMS for Enterprises - Headless CMS & Page Builder | Webiny
@webiny/react-rich-text-renderer before 5.37.2 allows XSS attacks by content managers. This is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. Webiny is an open-source serverless enterprise CMS. The @webiny/react-rich-text-renderer package depends on the editor.js rich text editor to handle rich text content. The CMS stores rich text content from the editor.js into the database. When the @webiny/react-rich-text-renderer is used to render such content, it uses the dangerouslySetInnerHTML prop, without applying HTML sanitization. The issue arises when an actor, who in this context would specifically be a content manager with access to the CMS, inserts a malicious script as part of the user-defined input. This script is then injected and executed within the user’s browser when the main page or admin page loads.
If someone is looking for a Modern Web framework with React, Serverless, then Webiny should be the first and only choice. It has everything that we need from a modern development environment. In addition, Dev experience is far beyond anything in my previous experience.
Sandor Molnar
Senior Web Developer, Beyerdynamic
We’ve been very happy with our experiences using Webiny. The documentation is clear and concise, and the community is quick to help out which has made for a pleasant developer experience.
Sam Gallagher-Bishop
Technical Director, Secret Location
Stampix has always focused on using serverless technologies, something that the CMS world hasn’t picked up on yet, especially given their pricing strategies. The serverless focus from Webiny has been a real godsend for us. Speaking for our entire team, we are loving the active and very dedicated open-source community behind Webiny.
Serge Morel
CTO, Stampix
Webiny really is head and shoulders above any other open source application framework out there. Its superb out-of-the-box marketing-focused applications combined with a great developer experience that’s supported by the most responsive core team we’ve ever worked with, make it the only choice for us when it comes to building custom data-driven applications. And as if that wasn’t good enough, it’s serverless by design, so it’s incredibly cost-effective, even at production scale.
James Hunter
Founder, Scafld
Webiny enabled us to quickly and intelligently craft a new Online Travel Agency website for our client.
Alexandru Iaru
Full Stack Developer, Code11
Related news
## Overview `@webiny/react-rich-text-renderer` is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. The `@webiny/react-rich-text-renderer` package depends on the [editor.js](https://editorjs.io/) rich text editor to handle rich text content. The CMS stores rich text content from the `editor.js` into the database. When the `@webiny/react-rich-text-renderer` is used to render such content, it uses the `dangerouslySetInnerHTML` prop, without applying HTML sanitization. The issue arises when an actor, who in this context would specifically be a content manager with access to the CMS, inserts a malicious script as part of the user-defined input. This script is then injected and executed within the user's browser when the main page or admin page loads. ## Am I affected? You will be affected if you're running a Webiny project created prior to `5.35.0` and you're using the legacy rich text editor (which uses `editor.js` library under the hood). If you'v...