Lucene search

GitHub Advisory DatabaseGHSA-Q4Q5-C5CV-2P68

HistorySep 19, 2022 - 12:00 a.m.

Vuetify Cross-site Scripting vulnerability

2022-09-1900:00:28

CWE-79

GitHub Advisory Database

github.com

vuetify

cross-site scripting

vcalendar

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

50.6%

JSON

The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the ‘eventName’ function within the VCalendar component.

Affected configurations

Vulners

Node

-org.webjars.npm\Matchvuetify

vuetifyjsvuetifyRange<2.6.10

CPENameOperatorVersion
org.webjars.npm:vuetifylt2.6.10
vuetifylt2.6.10

CPE	Name	Operator	Version
	org.webjars.npm:vuetify	lt	2.6.10
	vuetify	lt	2.6.10

References

codepen.io/5v3n-08/pen/MWGKEjY

github.com/advisories/GHSA-q4q5-c5cv-2p68

github.com/vuetifyjs/vuetify/commit/ade1434927f55a0eccf3d54f900f24c5fa85a176

github.com/vuetifyjs/vuetify/issues/15757

nvd.nist.gov/vuln/detail/CVE-2022-25873

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVUETIFYJS-3024407

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3024406

security.snyk.io/vuln/SNYK-JS-VUETIFY-3019858

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

50.6%

JSON

Related for GHSA-Q4Q5-C5CV-2P68