CVE-2024-9440

Опубликовано: 02 окт. 2024

Источник: nvd

CVSS3: 5.4

CVSS3: 6.1

EPSS Низкий

Описание

Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable to cross-site scripting, resulting in attacker executed JavaScript. At this time, no patch is available.

Ссылки

https://github.com/brianvoe/slim-select/blob/e7e37e2ff90e125f846bd98d6b8f278524ead79e/src/slim-select/select.ts#L377
Product
https://github.com/brianvoe/slim-select/issues/564
Exploit
Issue Tracking
https://vulncheck.com/advisories/slim-select-xss
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:slimselectjs:slim_select:*:*:*:*:*:node.js:*:*

Версия до 2.9.2 (исключая)

EPSS

Процентиль: 35%

0.00144

Низкий

5.4 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-qvqv-mcxr-x8qw

CVSS3: 5.4

github

больше 1 года назад

Slim Select has potential Cross-site Scripting issue

EPSS

Процентиль: 35%

0.00144

Низкий

5.4 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79