Описание
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.
A flaw was found in svelte, a performance-oriented web framework. When rendering untrusted data as the initial value for bind:innerText and bind:textContent on contenteditable elements on the server, the contents were not properly escaped. This improper handling could allow a remote attacker to perform HTML injection and Cross-Site Scripting (XSS), leading to the execution of malicious scripts in the user's browser.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Build of Podman Desktop - Tech Preview | rhdesktop/rh-podman-desktop-ext-bootc-rhel10 | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
5.4 Medium
CVSS3
Связанные уязвимости
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.
Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`
5.4 Medium
CVSS3