Description
Versions of shave prior to 2.5.3 are vulnerable to Cross-Site Scripting. The shave package overwrites HTML elements and in doing so fails to properly encode the output. If encoded HTML input is passed into shave the output will be decoded which may lead to Cross-Site Scripting.
Recommendation
Update the shave package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.5.3
- Patched version(s): 2.5.3
References
Related Issues
- Materialize-css vulnerable to Cross-site Scripting in autocomplete component - materialize-css - CVE-2019-11003
- Bootstrap Vulnerable to Cross-Site Scripting - CVE-2019-8331
- Cross-Site Scripting in @nuxt/devalue - CVE-2019-13506
- AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes - CVE-2019-14863
You might also like:
- Tags:
- npm
- shave
Anything's wrong? Let us know Last updated on January 09, 2023


