materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input

Severity:: Medium

Description

All versions of package materialize-css are vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as <not-a-tag />) that is being parsed as HTML/JavaScript, and inserted into the Document Object Model (DOM). This vulnerability can be exploited when the user-input is provided to the autocomplete component.

Recommendation

No fix is available yet. Followings are affected versions:

<= 1.0.0

References

GHSA-7jvx-f994-rfw2
snyk.io
CVE-2022-25349
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Materialize-css vulnerable to Cross-site Scripting in autocomplete component (GHSA-7752-f4gf-94gc) - CVE-2019-11003
Materialize-css vulnerable to Cross-site Scripting in tooltip component (GHSA-98f7-p5rc-jx67) - CVE-2019-11002
Materialize-css vulnerable to Improper Neutralization of Input During Web Page Generation (GHSA-rg3q-jxmp-pvjj) - CVE-2019-11004
Materialize-css vulnerable to Cross-site Scripting in autocomplete component - CVE-2019-11003

Tags:: npm; materialize-css

Anything's wrong? Let us know Last updated on February 01, 2023