Description
This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file).
Recommendation
Update the file-upload-with-preview package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.2.0
- Patched version(s): 4.2.0
References
Related Issues
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- Cross-site Scripting (XSS) - Stored in crud-file-server - CVE-2018-3726
- Cross-site Scripting in video.js - CVE-2021-23414
- Cross-site scripting in react-bootstrap-table - CVE-2021-23398
- Tags:
- npm
- file-upload-with-preview
Anything's wrong? Let us know Last updated on February 01, 2023