Описание
Cross-Site Scripting in jquery.json-viewer
Versions of jquery.json-viewer prior to 1.3.0 are vulnerable to Cross-Site Scripting (XSS). The package insufficiently sanitizes user input when creating links, and concatenates the user input in an <a> tag. This allows attackers to create malicious links with JSON payloads such as:
{
"foo": "https://bar.com\" onmouseover=alert('xss') \""
}
This may lead to arbitrary JavaScript execution in a victim's browser.
Recommendation
Upgrade to version 1.3.0 or later.
Пакеты
Наименование
jquery.json-viewer
npm
Затронутые версииВерсия исправления
< 1.3.0
1.3.0
Дефекты
CWE-79
Дефекты
CWE-79