Lucene search

[email protected]NVD:CVE-2023-26149

HistorySep 28, 2023 - 5:15 a.m.

CVE-2023-26149

2023-09-2805:15:46

CWE-79

[email protected]

web.nvd.nist.gov

quill-mention package

cross-site scripting

user-input sanitization

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

25.8%

JSON

Versions of the package quill-mention before 4.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization, via the renderList function.

Note:

If the mentions list is sourced from unsafe (user-sourced) data, this might allow an injection attack when a Quill user hits @.

Affected configurations

Nvd

Node

quill-mentionquill_mentionRange<4.0.0node.js

VendorProductVersionCPE
quill-mentionquill_mention*cpe:2.3:a:quill-mention:quill_mention:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
quill-mention	quill_mention	*	cpe:2.3:a:quill-mention:quill_mention::::::node.js::*

References

codepen.io/ALiangLiang/pen/mdQMJXK

github.com/quill-mention/quill-mention/blob/0aa9847719257496b14ac5401872c4e2ffcbc3d1/src/quill.mention.js%23L391

github.com/quill-mention/quill-mention/commit/e85262ddced0a7f0b6fc8350d236a68bd1e28385

github.com/quill-mention/quill-mention/issues/255

github.com/quill-mention/quill-mention/pull/341

security.snyk.io/vuln/SNYK-JS-QUILLMENTION-5921549

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

25.8%

JSON

Related for NVD:CVE-2023-26149

veracode1 cvelist1 cve1 osv2 prion1 github1