Materialize-css vulnerable to Cross-site Scripting in autocomplete component (GHSA-7752-f4gf-94gc)

Severity:: Medium

Description

All versions of materialize-css are vulnerable to Cross-Site Scripting. The autocomplete component does not sufficiently sanitize user input, allowing an attacker to execute arbitrary JavaScript code if the malicious input is rendered by a user.

Recommendation

No fix is available yet. Followings are affected versions:

<= 1.0.0

References

GHSA-7752-f4gf-94gc
snyk.io
CVE-2019-11003
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` (GHSA-6465-jgvq-jhgp) - CVE-2025-65944
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - CVE-2024-23331
xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection (GHSA-h4j5-c7cj-74xg) - CVE-2020-28502
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - CVE-2024-35255

Tags:: npm; materialize-css

Anything's wrong? Let us know Last updated on August 28, 2023