Description
Versions of iobroker.web prior to 2.4.10 are vulnerable to Cross-Site Scripting. The package fails to escape URL parameters that may be reflected in the server response. This can be used by attackers to execute arbitrary JavaScript in the victim’s browser.
Recommendation
Update the iobroker.web package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.4.10
- Patched version(s): 2.4.10
References
Related Issues
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
- Cross-Site Scripting in serialize-to-js - CVE-2019-16772
- AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes - CVE-2019-14863
- SQL Injection and Cross-site Scripting in class-validator - CVE-2019-18413
- Tags:
- npm
- iobroker.web
Anything's wrong? Let us know Last updated on January 09, 2023