Описание
Cross-Site Scripting in webpack-bundle-analyzer
Versions of webpack-bundle-analyzer prior to 3.3.2 are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.
Recommendation
Upgrade to version 3.3.2 or later.
Ссылки
- https://github.com/webpack-contrib/webpack-bundle-analyzer/issues/263
- https://github.com/webpack-contrib/webpack-bundle-analyzer/pull/264
- https://github.com/webpack-contrib/webpack-bundle-analyzer/commit/20f2b4c553ee343f491faf63e39427fba9908c7c
- https://snyk.io/vuln/SNYK-JS-WEBPACKBUNDLEANALYZER-174190
- https://www.npmjs.com/advisories/826
Пакеты
Наименование
webpack-bundle-analyzer
npm
Затронутые версииВерсия исправления
< 3.3.2
3.3.2
6.3 Medium
CVSS3
Дефекты
CWE-79
6.3 Medium
CVSS3
Дефекты
CWE-79