GHSA-7vvq-7r29-5vg3

Опубликовано: 27 янв. 2022

Источник: github

Github: Прошло ревью

CVSS3: 7.1

Описание

Cross site scripting in three.js

CVE has been withdrawn

Versions of three.js prior to 0.137.0 load untrusted iframes and allow for attackers to inject arbitrary javascript into a users browser.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2022-0177
https://github.com/mrdoob/three.js/pull/23245
https://github.com/mrdoob/three.js/commit/0c31bc605e21965aad8a6479bb1969351773f76d
https://huntr.dev/bounties/16901080-99b4-4fb5-8c5b-931bfbf33cba

Пакеты

Наименование

three

npm

Затронутые версииВерсия исправления

< 0.137.0

0.137.0

7.1 High

CVSS3

CVE ID

CVE-2022-0177

Дефекты

CWE-79

Связанные уязвимости

CVE-2022-0177

nvd

около 4 лет назад

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage

7.1 High

CVSS3

CVE ID

CVE-2022-0177

Дефекты

CWE-79