Description
Versions of cyberchef prior to 8.31.3 are vulnerable to Cross-Site Scripting. In Text Encoding Brute Force the table rows are created by concatenating the value variable unsanitized in the HTML code. If this variable is controlled by user input it allows attackers to execute arbitrary JavaScript in a victim’s browser.
Recommendation
Update the cyberchef package to the latest compatible version. Followings are version details:
- Affected version(s): < 8.31.3
- Patched version(s): 8.31.3
References
Related Issues
- AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes - CVE-2019-14863
- Cross-Site Scripting in min-http-server - CVE-2019-5457
- DOM-based cross-site scripting in Froala Editor - CVE-2019-19935
- Cross-site Scripting in pandao editor.md - CVE-2019-14517
- Tags:
- npm
- cyberchef
Anything's wrong? Let us know Last updated on January 09, 2023