GHSA-gh4g-3gm9-5wrq

Source

https://github.com/advisories/GHSA-gh4g-3gm9-5wrq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-gh4g-3gm9-5wrq/GHSA-gh4g-3gm9-5wrq.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-gh4g-3gm9-5wrq

Aliases

CVE-2019-12313

Published

2019-05-29T18:38:08Z

Modified

2023-11-01T04:50:18.696507Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Cross-Site Scripting in shave

Details

Versions of shave prior to 2.5.3 are vulnerable to Cross-Site Scripting. The shave package overwrites HTML elements and in doing so fails to properly encode the output. If encoded HTML input is passed into shave the output will be decoded which may lead to Cross-Site Scripting.

Recommendation

Upgrade to version 2.5.3 or later.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2019-05-29T18:37:51Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

npm / shave

Package

Name: shave; View open source insights on deps.dev
Purl: pkg:npm/shave

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.5.3