Description
Versions of iobroker.web prior to 2.4.10 are vulnerable to Cross-Site Scripting. The package fails to escape URL parameters that may be reflected in the server response. This can be used by attackers to execute arbitrary JavaScript in the victim’s browser.
Recommendation
Update the iobroker.web package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.4.10
- Patched version(s): 2.4.10
References
Related Issues
- AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes - CVE-2019-14863
- Cross-Site Scripting in min-http-server - CVE-2019-5457
- DOM-based cross-site scripting in Froala Editor - CVE-2019-19935
- Cross-site Scripting in pandao editor.md - CVE-2019-14517
- Tags:
- npm
- iobroker.web
Anything's wrong? Let us know Last updated on January 09, 2023