Cross-Site Scripting in @nuxt/devalue

Severity:: Medium

Description

Versions of @nuxt/devalue prior to 1.2.3 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization attacker may inject arbitrary JavaScript code through object keys.

Recommendation

Update the @nuxt/devalue package to the latest compatible version. Followings are version details:

Affected version(s): < 1.2.3
Patched version(s): 1.2.3

References

GHSA-6677-83pp-f862
www.npmjs.com
CVE-2019-13506
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes - CVE-2019-14863
Cross-Site Scripting in min-http-server - CVE-2019-5457
DOM-based cross-site scripting in Froala Editor - CVE-2019-19935
Cross-site Scripting in pandao editor.md - CVE-2019-14517

Tags:: npm; @nuxt/devalue

Anything's wrong? Let us know Last updated on January 09, 2023