tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload
- Severity:
- Medium
Description
This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the cross-site scripting (XSS) payload.
Recommendation
Update the @yaireo/tagify package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.9.8
- Patched version(s): 4.9.8
References
Related Issues
- Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) - CVE-2026-23733
- Cross-site Scripting (XSS) in serve-lite - CVE-2022-25847
- materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input - CVE-2022-25349
- Cross-site Scripting in Auth0 Lock - CVE-2022-29172
- Tags:
- npm
- @yaireo/tagify
Anything's wrong? Let us know Last updated on January 30, 2023