Lucene search

GitHub Advisory DatabaseGHSA-G662-QQ45-PPWM

HistoryDec 21, 2022 - 6:30 a.m.

Smoothie vulnerable to Cross-site Scripting when tooltipLabel or strokeStyle are controlled by users

2022-12-2106:30:29

CWE-79

GitHub Advisory Database

github.com

smoothie

cross-site scripting

user input

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

49.6%

JSON

The package smoothie from 1.31.0 and before 1.36.1 are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization in strokeStyle and tooltipLabel properties. Exploiting this vulnerability is possible when the user can control these properties.

Affected configurations

Vulners

Node

smoothieRange1.31.0–1.36.1

VendorProductVersionCPE
*smoothie*cpe:2.3:a:*:smoothie:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	smoothie	*	cpe:2.3:a::smoothie::::::::*

References

github.com/advisories/GHSA-g662-qq45-ppwm

github.com/joewalnes/smoothie/commit/8e0920d50da82f4b6e605d56f41b69fbb9606a98

github.com/joewalnes/smoothie/pull/147

nvd.nist.gov/vuln/detail/CVE-2022-25929

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-3177369

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-3177368

security.snyk.io/vuln/SNYK-JS-SMOOTHIE-3177364

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

49.6%

JSON

Related for GHSA-G662-QQ45-PPWM