next is vulnerable to cross-site scripting. An attacker is able to inject and execute malicious scirpt via image optimization API if next.config.js
file have images.domains
array assigned and the image host assigned in images.domains
which allows user-provided SVG.
CPE | Name | Operator | Version |
---|---|---|---|
next | le | 11.1.1-canary.17 | |
next | le | 11.1.1-canary.17 |