GoogleOSV:GHSA-RV8P-RR2H-FGPG@apollo/experimental-nextjs-app-support Cross-site Scripting vulnerability
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
6.3 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.0%
Impact
The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. This vulnerability arises from improper handling of untrusted input when @apollo/experimental-apollo-client-nextjs performs server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages.
Patches
To fix this issue, please update to version 0.7.0 or later.
Workarounds
There are no known workarounds for this issue. Please update to version 0.7.0
| CPE | Name | Operator | Version |
|---|---|---|---|
| @apollo/experimental-nextjs-app-support | lt | 0.7.0 |
Related
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
6.3 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.0%