materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input

Severity:: Medium

Description

All versions of package materialize-css are vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as <not-a-tag />) that is being parsed as HTML/JavaScript, and inserted into the Document Object Model (DOM). This vulnerability can be exploited when the user-input is provided to the autocomplete component.

Recommendation

No fix is available yet. Followings are affected versions:

<= 1.0.0

References

GHSA-7jvx-f994-rfw2
snyk.io
CVE-2022-25349
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Materialize-css vulnerable to Cross-site Scripting in tooltip component - materialize-css - CVE-2019-11002
Materialize-css vulnerable to Cross-site Scripting in autocomplete component - materialize-css - CVE-2019-11003
Materialize-css vulnerable to Improper Neutralization of Input During Web Page Generation - materialize-css - CVE-2019-11004
Materialize-css vulnerable to Cross-site Scripting in tooltip component - CVE-2019-11002

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:: npm; materialize-css

Anything's wrong? Let us know Last updated on February 01, 2023