5 matches found
Cross-site Scripting (XSS)
Overview @pdfme/schemas is a TypeScript base PDF generator and React base UI. Open source, developed by the community, and completely free to use under the MIT license! Affected versions of this package are vulnerable to Cross-site Scripting XSS in the multiVariableText property panel when...
Cross-site Scripting (XSS)
Overview @pdfme/schemas is a TypeScript base PDF generator and React base UI. Open source, developed by the community, and completely free to use under the MIT license! Affected versions of this package are vulnerable to Cross-site Scripting XSS via the innerHTML method. An attacker can execute...
@archbase/admin (>=4.0.0 <=4.0.21), @archbase/advanced (>=4.0.0 <=4.0.21) +10 more potentially affected by unknown CVE via @pdfme/schemas (>=5.5.10 <=5.5.8)
@pdfme/schemas NPM version =5.5.10, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =1.0.11, =0.20.0, =1.0.0, =0.31.0-EXPO-315-Marcelo-Tinelli.4, =0.0.1, =0.0.4 Source cves: unknown CVE Source advisory: SNYK:JS-PDFMESCHEMAS-15746949...
Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas
Summary The SVG schema plugin in @pdfme/schemas renders user-supplied SVG content using container.innerHTML = value without any sanitization, enabling arbitrary JavaScript execution in the user's browser. Details In packages/schemas/src/graphics/svg.ts, line 87, the SVG schema's ui renderer assig...
@archbase/admin (>=4.0.0 <=4.0.21), @archbase/advanced (>=4.0.0 <=4.0.21) +10 more potentially affected by unknown CVE via @pdfme/schemas (>=5.5.10 <=5.5.8)
@pdfme/schemas NPM version =5.5.10, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =1.0.11, =0.20.0, =1.0.0, =0.31.0-EXPO-315-Marcelo-Tinelli.4, =0.0.1, =0.0.4 Source cves: unknown CVE Source advisory: SNYK:JS-PDFMESCHEMAS-15746948...