Lucene search
Veracode Vulnerability DatabaseVERACODE:22659HistoryMar 10, 2020 - 2:51 a.m.
Cross-Site Scripting (XSS)
2020-03-1002:51:53
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
7
EPSS
0.001
Percentile
21.6%
lazysizes is vulnerable to cross-site scripting (XSS). The attributes data-vimeo, data-vimeoparams, data-youtube and data-ytparams are not sanitized by the video-embed plugin, allowing a remote attacker to inject and execute arbitrary Javascript in the user’s browser via the affected parameters.
References
github.com/aFarkas/lazysizes/blob/a2f37ec2371bff523ea8b94800682e4ec3596b9b/plugins/video-embed/ls.video-embed.js#L73
github.com/aFarkas/lazysizes/blob/a2f37ec2371bff523ea8b94800682e4ec3596b9b/plugins/video-embed/ls.video-embed.js#L98
github.com/aFarkas/lazysizes/commit/3720ab8262552d4e063a38d8492f9490a231fd48
github.com/aFarkas/lazysizes/issues/764
Related
osv
osv
Cross-site scripting in lazysizes
2021-12-10 20:06:23
CVE-2020-7642
2020-04-22 16:15:13
github
github
Cross-site scripting in lazysizes
2021-12-10 20:06:23
nvd
nvd
CVE-2020-7642
2020-04-22 16:15:13
cve
cve
CVE-2020-7642
2020-04-22 16:15:13
prion
prion
Design/Logic Flaw
2020-04-22 16:15:00
cvelist
cvelist
CVE-2020-7642
2020-04-22 15:13:51