Description
This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file).
Recommendation
Update the file-upload-with-preview package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.2.0
- Patched version(s): 4.2.0
References
Related Issues
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- vditor Vulnerable to Cross-site Scripting in SVG events - CVE-2021-4103
- Cross-site Scripting in vmd - CVE-2021-33041
- Cross-site scripting in react-bootstrap-table - CVE-2021-23398
You might also like:
- Tags:
- npm
- file-upload-with-preview
Anything's wrong? Let us know Last updated on February 01, 2023