Lucene search

Veracode Vulnerability DatabaseVERACODE:45257

HistoryJan 31, 2024 - 12:08 p.m.

Cross-site Scripting (XSS)

2024-01-3112:08:20

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

urql/next

cross-site scripting

html-like characters

response stream

vulnerable

software

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

6.4 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

urql/next is vulnerable to Cross-site scripting (XSS). The vulnerability is due to improper sanitization of HTML-like characters in the response stream. An attacker can inject malicious scripts by ensuring that the response returns html tags and that the web-application is using streamed responses (non-RSC).

CPENameOperatorVersion
@urql/nextle1.1.0
@urql/nextle1.1.0

CPE	Name	Operator	Version
	@urql/next	le	1.1.0
	@urql/next	le	1.1.0

References

github.com/urql-graphql/urql/commit/4b7011b70d5718728ff912d02a4dbdc7f703540d

github.com/urql-graphql/urql/security/advisories/GHSA-qhjf-hm5j-335w

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

6.4 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for VERACODE:45257