Описание
Smoothie vulnerable to Cross-site Scripting when tooltipLabel or strokeStyle are controlled by users
The package smoothie from 1.31.0 and before 1.36.1 are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization in strokeStyle and tooltipLabel properties. Exploiting this vulnerability is possible when the user can control these properties.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-25929
- https://github.com/joewalnes/smoothie/pull/147
- https://github.com/joewalnes/smoothie/commit/8e0920d50da82f4b6e605d56f41b69fbb9606a98
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-3177369
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-3177368
- https://security.snyk.io/vuln/SNYK-JS-SMOOTHIE-3177364
Пакеты
Наименование
smoothie
npm
Затронутые версииВерсия исправления
>= 1.31.0, < 1.36.1
1.36.1
Связанные уязвимости
CVSS3: 5.4
nvd
около 3 лет назад
The package smoothie from 1.31.0 and before 1.36.1 are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization in strokeStyle and tooltipLabel properties. Exploiting this vulnerability is possible when the user can control these properties.