Description
The @urql/next package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns html tags and that the web-application is using streamed responses (non-RSC). This vulnerability is due to improper escaping of html-like characters in the response-stream.
To fix this vulnerability upgrade to version 1.1.1
Recommendation
Update the @urql/next package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.1.1
- Patched version(s): 1.1.1
References
Related Issues
- Stimulsoft Dashboard.JS Cross Site Scripting vulnerability - CVE-2024-24396
- Trix has a cross-site Scripting vulnerability on copy & paste - CVE-2024-43368
- SummerNote Cross Site Scripting Vulnerability - CVE-2024-37629
- ghtml Cross-Site Scripting (XSS) vulnerability - CVE-2024-37166
- Tags:
- npm
- @urql/next
Anything's wrong? Let us know Last updated on January 30, 2024