Veracode Vulnerability DatabaseVERACODE:39620

HistoryMar 10, 2023 - 9:14 a.m.

Cross-site Scripting (XSS)

2023-03-1009:14:52

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

vega

lassoappend

vulnerability

function

attacker

object

push

event view

0.001 Low

EPSS

Percentile

42.1%

JSON

vega is vulnerable to Cross-site Scripting (XSS) attacks. The library does not properly enforce types for its arguments in the lassoAppend function, which allows an attacker to specify any object with a push function. The push function then can be set to any function that has the access to event.view.

CPENameOperatorVersion
vegale5.22.1
vegale5.22.1
vegaeq5.22.1
vega-functionseq5.13.0
vegale5.22.1
vegale5.22.1
vegaeq5.22.1
vega-functionseq5.13.0

Name	Operator	Version
vega	le	5.22.1
vega	le	5.22.1
vega	eq	5.22.1
vega-functions	eq	5.13.0
vega	le	5.22.1
vega	le	5.22.1
vega	eq	5.22.1
vega-functions	eq	5.13.0

References

github.com/advisories/GHSA-w5m3-xh75-mp55

github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689

github.com/vega/vega/releases/tag/v5.23.0

github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55

0.001 Low

EPSS

Percentile

42.1%

JSON

Related for VERACODE:39620