CVE-2021-43785

Опубликовано: 26 нояб. 2021

Источник: nvd

CVSS3: 7.6

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a script tag into the page and execute malicious code.

Ссылки

https://github.com/joeattardi/emoji-button/commit/05970c09180cd27fff493e998ac5bf0468b1bb16
Patch
Third Party Advisory
https://github.com/joeattardi/emoji-button/commit/fe54bef107eb3f74873a4018f2ff49fa124c6a2e
Patch
Third Party Advisory
https://github.com/joeattardi/emoji-button/security/advisories/GHSA-f34m-x9pj-62vq
Third Party Advisory
https://github.com/joeattardi/emoji-button/commit/05970c09180cd27fff493e998ac5bf0468b1bb16
Patch
Third Party Advisory
https://github.com/joeattardi/emoji-button/commit/fe54bef107eb3f74873a4018f2ff49fa124c6a2e
Patch
Third Party Advisory
https://github.com/joeattardi/emoji-button/security/advisories/GHSA-f34m-x9pj-62vq
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:emoji_button_project:emoji_button:*:*:*:*:*:node.js:*:*

Версия до 4.6.2 (исключая)

EPSS

Процентиль: 60%

0.00398

Низкий

7.6 High

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-f34m-x9pj-62vq

CVSS3: 7.6

github

около 4 лет назад

Cross-Site Scripting Vulnerability in @joeattardi/emoji-button

EPSS

Процентиль: 60%

0.00398

Низкий

7.6 High

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79