GHSA-rv8p-rr2h-fgpg

Source

https://github.com/advisories/GHSA-rv8p-rr2h-fgpg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-rv8p-rr2h-fgpg/GHSA-rv8p-rr2h-fgpg.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-rv8p-rr2h-fgpg

Aliases

CVE-2024-23841

Published

2024-01-30T20:57:45Z

Modified

2024-01-30T20:57:45Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator

Summary

@apollo/experimental-nextjs-app-support Cross-site Scripting vulnerability

Details

Impact

The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. This vulnerability arises from improper handling of untrusted input when @apollo/experimental-apollo-client-nextjs performs server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages.

Patches

To fix this issue, please update to version 0.7.0 or later.

Workarounds

There are no known workarounds for this issue. Please update to version 0.7.0

Database specific

{
    "nvd_published_at": "2024-01-30T18:15:48Z",
    "cwe_ids": [
        "CWE-80"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T20:57:45Z"
}

References

Affected packages

npm / @apollo/experimental-nextjs-app-support

Package

Name: @apollo/experimental-nextjs-app-support; View open source insights on deps.dev
Purl: pkg:npm/%40apollo/experimental-nextjs-app-support

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.7.0

Database specific

{
    "last_known_affected_version_range": "<= 0.6.0"
}