Описание
Cross-Site Scripting in selectize-plugin-a11y
Versions of selectize-plugin-a11y prior to 1.1.0 are vulnerable to Cross-Site Scripting. The accessibility.liveRegion.speak function does not sanitize the msg variable before rendering it as HTML. If this variable is controlled by user input it allows attackers to execute arbitrary JavaScript in a victim's browser.
Recommendation
Upgrade to version 1.1.0 or later.
Пакеты
Наименование
selectize-plugin-a11y
npm
Затронутые версииВерсия исправления
< 1.1.0
1.1.0
Связанные уязвимости
CVSS3: 6.1
nvd
больше 6 лет назад
selectize-plugin-a11y before 1.1.0 has XSS via the msg field.