Materialize-css vulnerable to Cross-site Scripting in tooltip component

Severity:: Medium

Description

All versions of materialize-css are vulnerable to Cross-Site Scripting. The tooltip component does not sufficiently sanitize user input, allowing an attacker to execute arbitrary JavaScript code if the malicious input is rendered by a user.

Recommendation

Update the @materializecss/materialize package to the latest compatible version. Followings are version details:

Affected version(s): < 1.1.0-alpha
Patched version(s): 1.1.0-alpha

References

GHSA-98f7-p5rc-jx67
snyk.io
www.npmjs.com
CVE-2019-11002
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Materialize-css vulnerable to Cross-site Scripting in tooltip component (GHSA-98f7-p5rc-jx67) - CVE-2019-11002
Materialize-css vulnerable to Cross-site Scripting in autocomplete component - CVE-2019-11003
Materialize-css vulnerable to Cross-site Scripting in autocomplete component (GHSA-7752-f4gf-94gc) - CVE-2019-11003
materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input - CVE-2022-25349

Tags:: npm; @materializecss/materialize

Anything's wrong? Let us know Last updated on August 28, 2023