GHSA-9xr8-8hmc-389f

Опубликовано: 22 нояб. 2019

Источник: github

Github: Прошло ревью

CVSS3: 9.1

Описание

Cross-Site Scripting in vant

Versions of vant prior to 2.1.8 are vulnerable to Cross-Site Scripting. The text value of the Picker component column is not sanitized, which may allow attackers to execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 2.1.8 or later.

Ссылки

https://github.com/youzan/vant/issues/4270
https://github.com/youzan/vant/pull/4278/commits/d777b78c7dc2c904f474d057ea88449cfe2ca13a
https://snyk.io/vuln/SNYK-JS-VANT-460461
https://www.npmjs.com/advisories/1157

Пакеты

Наименование

vant

npm

Затронутые версииВерсия исправления

< 2.1.8

2.1.8

9.1 Critical

CVSS3

Дефекты

CWE-79

9.1 Critical

CVSS3

Дефекты

CWE-79