Description
Svelecte item names are rendered as raw HTML with no escaping. This allows the injection of arbitrary HTML into the Svelecte dropdown. This can be exploited to execute arbitrary JavaScript whenever a Svelecte dropdown is opened.
Recommendation
Update the svelecte package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.16.3
- Patched version(s): 3.16.3
References
Related Issues
- Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - CVE-2023-45133
- PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - CVE-2024-4367
- Arbitrary JavaScript Execution in typed-function - CVE-2017-1001004
- XSS vulnerability allowing arbitrary JavaScript execution - CVE-2021-41174
- Tags:
- npm
- svelecte
Anything's wrong? Let us know Last updated on November 08, 2023