GHSA-w4vp-3mq7-7v82

Опубликовано: 03 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Cross-Site Scripting in lazysizes

Versions of lazysizes prior to 5.2.1-rc1 are vulnerable to Cross-Site Scripting. The video-embed plugin fails to sanitize the following attributes: data-vimeo, data-vimeoparams, data-youtube and data-ytparams. This allows attackers to execute arbitrary JavaScript in a victim's browser if the attacker has control over the vulnerable attributes.

Recommendation

Upgrade to version 5.2.1-rc1 or later.

Ссылки

https://github.com/aFarkas/lazysizes/issues/764
https://www.npmjs.com/advisories/1493

Пакеты

Наименование

lazysizes

npm

Затронутые версииВерсия исправления

<= 5.2.1-rc0

5.2.1-rc1

Дефекты

CWE-79

Дефекты

CWE-79