CVE-2022-25349

Опубликовано: 01 мая 2022

Источник: nvd

CVSS3: 5.4

CVSS2: 4.3

EPSS Низкий

Описание

All versions of package materialize-css are vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as <not-a-tag />) that is being parsed as HTML/JavaScript, and inserted into the Document Object Model (DOM). This vulnerability can be exploited when the user-input is provided to the autocomplete component.

Ссылки

https://github.com/Dogfalo/materialize/blob/v1-dev/js/autocomplete.js%23L285%20
Broken Link
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2766498
Exploit
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-MATERIALIZECSS-2324800
Exploit
Third Party Advisory
https://github.com/Dogfalo/materialize/blob/v1-dev/js/autocomplete.js%23L285%20
Broken Link
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2766498
Exploit
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-MATERIALIZECSS-2324800
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:materializecss:materialize:*:*:*:*:*:*:node.js:*

EPSS

Процентиль: 53%

0.00301

Низкий

5.4 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2022-25349

CVSS3: 5.4

debian

почти 4 года назад

All versions of package materialize-css are vulnerable to Cross-site S ...

GHSA-7jvx-f994-rfw2

CVSS3: 5.4

github

почти 4 года назад

materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input

EPSS

Процентиль: 53%

0.00301

Низкий

5.4 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79