Description
Versions of shave prior to 2.5.3 are vulnerable to Cross-Site Scripting. The shave package overwrites HTML elements and in doing so fails to properly encode the output. If encoded HTML input is passed into shave the output will be decoded which may lead to Cross-Site Scripting.
Recommendation
Update the shave package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.5.3
- Patched version(s): 2.5.3
References
Related Issues
- AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes - CVE-2019-14863
- Cross-Site Scripting in min-http-server - CVE-2019-5457
- DOM-based cross-site scripting in Froala Editor - CVE-2019-19935
- Cross-site Scripting in pandao editor.md - CVE-2019-14517
- Tags:
- npm
- shave
Anything's wrong? Let us know Last updated on January 09, 2023