CVE-2022-29230

Опубликовано: 18 мая 2022

Источник: nvd

CVSS3: 6.3

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability.

Ссылки

https://github.com/Shopify/hydrogen/pull/1272
Issue Tracking
Patch
Third Party Advisory
https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0
Patch
Third Party Advisory
https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f
Third Party Advisory
https://github.com/Shopify/hydrogen/pull/1272
Issue Tracking
Patch
Third Party Advisory
https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0
Patch
Third Party Advisory
https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:shopify:hydrogen:*:*:*:*:*:node.js:*:*

Версия от 0.10.0 (включая) до 0.19.0 (исключая)

EPSS

Процентиль: 53%

0.00306

Низкий

6.3 Medium

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-6j22-wv8g-894f

CVSS3: 6.3

github

больше 3 лет назад

Potential Cross-site Scripting vulnerability in Hydrogen

EPSS

Процентиль: 53%

0.00306

Низкий

6.3 Medium

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79