Description
Svelecte item names are rendered as raw HTML with no escaping. This allows the injection of arbitrary HTML into the Svelecte dropdown. This can be exploited to execute arbitrary JavaScript whenever a Svelecte dropdown is opened.
Recommendation
Update the svelecte package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.16.3
- Patched version(s): 3.16.3
References
Related Issues
- PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - CVE-2024-4367
- Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - CVE-2023-45133
- jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" pr - CVE-2026-25940
- Joplin is vulnerable to arbitrary code execution - CVE-2022-35131
- Tags:
- npm
- svelecte
Anything's wrong? Let us know Last updated on November 08, 2023