Cross-Site Scripting in status-board

Severity:: Medium

Description

All versions of status-board are vulnerable to Cross-Site Scripting. The renderJsDashboard() function concatenates the safeDashboard variable to the HTTP response message with insufficient sanitization. If this variable is controlled by user input it may allow attackers to execute arbitrary JavaScript in a victim’s browser.

Recommendation

Update the status-board package to the latest compatible version. Followings are version details:

Affected version(s): < 1.1.82
Patched version(s): 1.1.82

References

GHSA-6m4r-cgm3-6q7q
snyk.io
www.npmjs.com
CVE-2019-15478
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Status Board vulnerable to Cross-Site Scripting before v1.1.82 - CVE-2019-15479
Materialize-css vulnerable to Cross-site Scripting in autocomplete component - CVE-2019-11003
Cross-Site Scripting in serialize-to-js - CVE-2019-16772
Materialize-css vulnerable to Cross-site Scripting in autocomplete component (GHSA-7752-f4gf-94gc) - CVE-2019-11003

Tags:: npm; status-board

Anything's wrong? Let us know Last updated on January 09, 2023