Описание
Cross-Site Scripting in nextcloud-vue-collections
Versions of nextcloud-vue-collections prior to 0.4.2 are vulnerable to Cross-Site Scripting (XSS). The v-tooltip component has an insecure defaultHTML configuration that allows arbitrary JavaScript to be injected in the tooltip of a collection item. This allows attackers to execute arbitrary code in a victim's browser.
Recommendation
Upgrade to version 0.4.2 or later.
Пакеты
Наименование
nextcloud-vue-collections
npm
Затронутые версииВерсия исправления
< 0.4.2
0.4.2
Дефекты
CWE-79
Дефекты
CWE-79