Description
Versions of selectize-plugin-a11y prior to 1.1.0 are vulnerable to Cross-Site Scripting. The accessibility.liveRegion.speak function does not sanitize the msg variable before rendering it as HTML. If this variable is controlled by user input it allows attackers to execute arbitrary JavaScript in a victim’s browser.
Recommendation
Update the selectize-plugin-a11y package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.1.0
- Patched version(s): 1.1.0
References
Related Issues
- Cross-Site Scripting in iobroker.web - CVE-2019-10771
- Cross-Site Scripting in serialize-to-js - CVE-2019-16772
- Materialize-css vulnerable to Cross-site Scripting in autocomplete component - CVE-2019-11003
- Materialize-css vulnerable to Cross-site Scripting in autocomplete component - materialize-css - CVE-2019-11003
You might also like:
- Tags:
- npm
- selectize-plugin-a11y
Anything's wrong? Let us know Last updated on January 09, 2023


