CVE-2022-25854

Опубликовано: 29 апр. 2022

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.

Ссылки

https://bsg.tech/blog/cve-2022-25854-stored-xss-in-yaireo-tagify-npm-module/
Exploit
Patch
Third Party Advisory
https://github.com/yairEO/tagify/commit/198c0451fad188390390395ccfc84ab371def4c7
Patch
Third Party Advisory
https://github.com/yairEO/tagify/issues/988
Exploit
Issue Tracking
Third Party Advisory
https://github.com/yairEO/tagify/releases/tag/v4.9.8
Release Notes
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-YAIREOTAGIFY-2404358
Third Party Advisory
https://bsg.tech/blog/cve-2022-25854-stored-xss-in-yaireo-tagify-npm-module/
Exploit
Patch
Third Party Advisory
https://github.com/yairEO/tagify/commit/198c0451fad188390390395ccfc84ab371def4c7
Patch
Third Party Advisory
https://github.com/yairEO/tagify/issues/988
Exploit
Issue Tracking
Third Party Advisory
https://github.com/yairEO/tagify/releases/tag/v4.9.8
Release Notes
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-YAIREOTAGIFY-2404358
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:tagify_project:tagify:*:*:*:*:*:*:*:*

Версия до 4.9.8 (исключая)

EPSS

Процентиль: 70%

0.00633

Низкий

5.4 Medium

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-pxpf-v376-7xx5

CVSS3: 6.1

github

почти 4 года назад

tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload

EPSS

Процентиль: 70%

0.00633

Низкий

5.4 Medium

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79