CVE-2021-39178

Опубликовано: 31 авг. 2021

Источник: nvd

CVSS3: 7.5

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the next.config.js file must have images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.

Ссылки

https://github.com/vercel/next.js/releases/tag/v11.1.1
Patch
Release Notes
Third Party Advisory
https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m
Patch
Third Party Advisory
https://github.com/vercel/next.js/releases/tag/v11.1.1
Patch
Release Notes
Third Party Advisory
https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Версия от 10.0.0 (включая) до 11.1.1 (исключая)

EPSS

Процентиль: 71%

0.007

Низкий

7.5 High

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-9gr3-7897-pp7m

CVSS3: 7.5

github

почти 4 года назад

XSS in Image Optimization API for Next.js

EPSS

Процентиль: 71%

0.007

Низкий

7.5 High

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79