CVE-2022-25854

Sažetak

This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.

Reference

https://github.com/yairEO/tagify/releases/tag/v4.9.8
https://snyk.io/vuln/SNYK-JS-YAIREOTAGIFY-2404358
https://github.com/yairEO/tagify/commit/198c0451fad188390390395ccfc84ab371def4c7
https://github.com/yairEO/tagify/issues/988
https://bsg.tech/blog/cve-2022-25854-stored-xss-in-yaireo-tagify-npm-module/

CVSS

Base:	3.5
Impact:	2.9
Exploitability:	6.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:S/C:N/I:P/A:N

Zadnje važnije ažuriranje

23-09-2022 - 18:57

Objavljeno

29-04-2022 - 20:15