Description
All versions of html-pages are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize folder names, allowing attackers to execute arbitrary JavaScript in the victim’s browser through folders with names containing malicious code.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 3.1.0
References
- GHSA-5p26-hw7f-3cpr
- hackerone.com
- www.npmjs.com
- CVE-2018-16481
- CWE-64
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Bootstrap vulnerable to Cross-Site Scripting (XSS) - CVE-2018-14040
- Bootstrap Cross-site Scripting vulnerability - bootstrap - GHSA-7mvr-5x2g-wfc8 - CVE-2018-14042
- Bootstrap Cross-site Scripting vulnerability - bootstrap-sass - CVE-2018-14042
- bootstrap Cross-site Scripting vulnerability - bootstrap-sass - GHSA-ph58-4vrj-w6hr - CVE-2018-20677
You might also like:
- Tags:
- npm
- html-pages
Anything's wrong? Let us know Last updated on September 12, 2023