Cross-Site Scripting in webpack-bundle-analyzer

Severity:: Medium

Description

Versions of webpack-bundle-analyzer prior to 3.3.2 are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.

Recommendation

Update the webpack-bundle-analyzer package to the latest compatible version. Followings are version details:

Affected version(s): < 3.3.2
Patched version(s): 3.3.2

References

GHSA-pgr8-jg6h-8gw6
snyk.io
www.npmjs.com
CWE-79
OWASP 2021-A3

Related Issues

Cross-Site Scripting in bootstrap-select (GHSA-9r7h-6639-v5mw) - Vulnerability
Froala Editor Cross-site Scripting vulnerability - CVE-2023-41592
Cross Site Scripting vulnerability in store2 - CVE-2024-57556
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details - CVE-2022-39350

Tags:: npm; webpack-bundle-analyzer

Anything's wrong? Let us know Last updated on April 13, 2023