Description
Versions of iobroker.web prior to 2.4.10 are vulnerable to Cross-Site Scripting. The package fails to escape URL parameters that may be reflected in the server response. This can be used by attackers to execute arbitrary JavaScript in the victim’s browser.
Recommendation
Update the iobroker.web package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.4.10
- Patched version(s): 2.4.10
References
Related Issues
- PrismJS DOM Clobbering vulnerability - CVE-2024-53382
- Server-Side Request Forgery in axios - CVE-2024-39338
- DOS by abusing `fetchOptions.retry`. - CVE-2023-49800
- Prototype Pollution in querystringify - Vulnerability
- Tags:
- npm
- iobroker.web
Anything's wrong? Let us know Last updated on January 09, 2023