Description
This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file).
Recommendation
Update the file-upload-with-preview package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.2.0
- Patched version(s): 4.2.0
References
Related Issues
- Margox Braft-Editor Cross-site Scripting Vulnerability - CVE-2021-27524
- vditor Vulnerable to Cross-site Scripting in SVG events - CVE-2021-4103
- Strapi 4.1.12 Cross-site Scripting via crafted file - CVE-2022-32114
- Cross-site Scripting in vmd - CVE-2021-33041
- Tags:
- npm
- file-upload-with-preview
Anything's wrong? Let us know Last updated on February 01, 2023