tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload
- Severity:
- Medium
Description
This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the cross-site scripting (XSS) payload.
Recommendation
Update the @yaireo/tagify package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.9.8
- Patched version(s): 4.9.8
References
Related Issues
- Making all attributes on a content-type public without noticing it (GHSA-chmr-rg2f-9jmf) 2 - CVE-2023-34093
- undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect - CVE-2022-31151
- Parse Server vulnerable to brute force guessing of user sensitive data via search patterns - CVE-2022-36079
- steal vulnerable to Regular Expression Denial of Service via source and sourceWithComments - CVE-2022-37262
- Tags:
- npm
- @yaireo/tagify
Anything's wrong? Let us know Last updated on January 30, 2023