Impact

Due to insufficient class name validation in GrapeJS library it’s possible to add executable JS code in class name through Selector Manager

Relates to

• https://github.com/artf/grapesjs/issues/4411

Patch

Update GrapeJS dependency to >=v0.19.5

References

• https://github.com/oroinc/orocommerce/security/advisories/GHSA-6f85-3f8q-qc94
• https://github.com/artf/grapesjs/issues/4411
• https://github.com/advisories/GHSA-6f85-3f8q-qc94