Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/622366?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/622366?format=api", "purl": "pkg:npm/%40webiny/react-rich-text-renderer@5.19.1", "type": "npm", "namespace": "@webiny", "name": "react-rich-text-renderer", "version": "5.19.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.37.2-beta.0", "latest_non_vulnerable_version": "5.37.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/18334?format=api", "vulnerability_id": "VCID-a8x7-67mm-3kez", "summary": "@webiny/react-rich-text-renderer vulnerable to insecure rendering of rich text content\n@webiny/react-rich-text-renderer before 5.37.2 allows XSS attacks by content managers. This is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. Webiny is an open-source serverless enterprise CMS. The @webiny/react-rich-text-renderer package depends on the editor.js rich text editor to handle rich text content. The CMS stores rich text content from the editor.js into the database. When the @webiny/react-rich-text-renderer is used to render such content, it uses the dangerouslySetInnerHTML prop, without applying HTML sanitization. The issue arises when an actor, who in this context would specifically be a content manager with access to the CMS, inserts a malicious script as part of the user-defined input. This script is then injected and executed within the user's browser when the main page or admin page loads.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41167", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.56372", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41167" }, { "reference_url": "https://github.com/webiny/webiny-js", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/webiny/webiny-js" }, { "reference_url": "https://github.com/webiny/webiny-js/commit/8748bc53fe862bb03d4459ccc0be39084a5d35c0", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/webiny/webiny-js/commit/8748bc53fe862bb03d4459ccc0be39084a5d35c0" }, { "reference_url": "https://webiny.com", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:52:27Z/" } ], "url": "https://webiny.com" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41167", "reference_id": "CVE-2023-41167", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41167" }, { "reference_url": "https://github.com/advisories/GHSA-3x59-vrmc-5mx6", "reference_id": "GHSA-3x59-vrmc-5mx6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3x59-vrmc-5mx6" }, { "reference_url": "https://github.com/webiny/webiny-js/security/advisories/GHSA-3x59-vrmc-5mx6", "reference_id": "GHSA-3x59-vrmc-5mx6", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:52:27Z/" } ], "url": "https://github.com/webiny/webiny-js/security/advisories/GHSA-3x59-vrmc-5mx6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/622504?format=api", "purl": "pkg:npm/%40webiny/react-rich-text-renderer@5.37.2-beta.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540webiny/react-rich-text-renderer@5.37.2-beta.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/65469?format=api", "purl": "pkg:npm/%40webiny/react-rich-text-renderer@5.37.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540webiny/react-rich-text-renderer@5.37.2" } ], "aliases": [ "CVE-2023-41167", "GHSA-3x59-vrmc-5mx6" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a8x7-67mm-3kez" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540webiny/react-rich-text-renderer@5.19.1" }