GitHub Advisory DatabaseGHSA-PXPF-V376-7XX5tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
43.9%
This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the cross-site scripting (XSS) payload.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| @yaireo/tagify | lt | 4.9.8 |
References
bsg.tech/blog/cve-2022-25854-stored-xss-in-yaireo-tagify-npm-module/
github.com/advisories/GHSA-pxpf-v376-7xx5
github.com/yairEO/tagify/commit/198c0451fad188390390395ccfc84ab371def4c7
github.com/yairEO/tagify/issues/988
github.com/yairEO/tagify/releases/tag/v4.9.8
nvd.nist.gov/vuln/detail/CVE-2022-25854
snyk.io/vuln/SNYK-JS-YAIREOTAGIFY-2404358
Related
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
43.9%