Lucene search

GoogleOSV:CVE-2022-25929

HistoryDec 21, 2022 - 5:15 a.m.

CVE-2022-25929

2022-12-2105:15:11

Google

osv.dev

smoothie

cross-site scripting

xss

user input sanitization

strokestyle

tooltiplabel

vulnerability

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

46.7%

JSON

The package smoothie from 1.31.0 and before 1.36.1 are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization in strokeStyle and tooltipLabel properties. Exploiting this vulnerability is possible when the user can control these properties.

CPENameOperatorVersion
smoothieeq1.8.0
smoothieeq1.34.0
smoothieeq1.12
smoothieeq1.6
smoothieeq1.7
smoothieeq1.30.0
smoothieeq1.28.0
smoothieeq1.24.0
smoothieeq1.11
smoothieeq1.21.0

Name	Operator	Version
smoothie	eq	1.8.0
smoothie	eq	1.34.0
smoothie	eq	1.12
smoothie	eq	1.6
smoothie	eq	1.7
smoothie	eq	1.30.0
smoothie	eq	1.28.0
smoothie	eq	1.24.0
smoothie	eq	1.11
smoothie	eq	1.21.0

Rows per page:

1-10 of 541

References

github.com/joewalnes/smoothie/commit/8e0920d50da82f4b6e605d56f41b69fbb9606a98

github.com/joewalnes/smoothie/pull/147

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-3177369

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-3177368

security.snyk.io/vuln/SNYK-JS-SMOOTHIE-3177364

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

46.7%

JSON

Related for OSV:CVE-2022-25929