Lucene search

GitHub Advisory DatabaseGHSA-G662-QQ45-PPWM

HistoryDec 21, 2022 - 6:30 a.m.

Smoothie vulnerable to Cross-site Scripting when tooltipLabel or strokeStyle are controlled by users

2022-12-2106:30:29

CWE-79

GitHub Advisory Database

github.com

smoothie

cross-site scripting

user input

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

46.7%

JSON

The package smoothie from 1.31.0 and before 1.36.1 are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization in strokeStyle and tooltipLabel properties. Exploiting this vulnerability is possible when the user can control these properties.

Affected configurations

Vulners

Node

smoothiechartssmoothie_chartsRange<1.36.1node.js

CPENameOperatorVersion
smoothielt1.36.1

CPE	Name	Operator	Version
	smoothie	lt	1.36.1

References

github.com/advisories/GHSA-g662-qq45-ppwm

github.com/joewalnes/smoothie/commit/8e0920d50da82f4b6e605d56f41b69fbb9606a98

github.com/joewalnes/smoothie/pull/147

nvd.nist.gov/vuln/detail/CVE-2022-25929

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-3177369

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-3177368

security.snyk.io/vuln/SNYK-JS-SMOOTHIE-3177364

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

46.7%

JSON

Related for GHSA-G662-QQ45-PPWM