Description
Versions of iobroker.web prior to 2.4.10 are vulnerable to Cross-Site Scripting. The package fails to escape URL parameters that may be reflected in the server response. This can be used by attackers to execute arbitrary JavaScript in the victim’s browser.
Recommendation
Update the iobroker.web package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.4.10
- Patched version(s): 2.4.10
References
- GHSA-6rjc-4pwr-3vp7
- snyk.io
- www.npmjs.com
- CVE-2019-10771
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Cross-Site Scripting in dompurify - CVE-2019-16728
- Cross-site Scripting in aurelia-framework - CVE-2019-10062
- QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting - CVE-2026-0824
- Cross-site Scripting in pandao - CVE-2019-14653
You might also like:
- Tags:
- npm
- iobroker.web
Anything's wrong? Let us know
Last updated on January 09, 2023