GHSA-c53x-wwx2-pg96

Опубликовано: 03 сент. 2020

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

Cross-Site Scripting in @berslucas/liljs

Versions of @berslucas/liljs prior to 1.0.2 are vulnerable to Cross-Site Scripting (XSS). The package uses the unsafe innerHTML function without sanitizing input, which may allow attackers to execute arbitrary JavaScript on the victim's browser.

Recommendation

Upgrade to version 1.0.2 or later.

Ссылки

https://github.com/bersLucas/liljs/pull/7
https://github.com/bersLucas/liljs/commit/779c0dcd8aba434a1c94db7d1d2d990a629f9a6c
https://github.com/bersLucas/liljs/releases/tag/1.0.2
https://snyk.io/vuln/SNYK-JS-BERSLUCASLILJS-450217
https://www.npmjs.com/advisories/1016

Пакеты

Наименование

@berslucas/liljs

npm

Затронутые версииВерсия исправления

< 1.0.2

1.0.2

6.5 Medium

CVSS3

Дефекты

CWE-79

6.5 Medium

CVSS3

Дефекты

CWE-79