Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13NHY3LWh3eDctOTkyOc0W5A
Cross-site Scripting in tempura
This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.
Permalink: https://github.com/advisories/GHSA-w4v7-hwx7-9929JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NHY3LWh3eDctOTkyOc0W5A
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-w4v7-hwx7-9929, CVE-2021-23784
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23784
- https://github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9b
- https://github.com/lukeed/tempura/releases/tag/v0.4.0
- https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633
- https://github.com/advisories/GHSA-w4v7-hwx7-9929
Blast Radius: 7.3
Affected Packages
npm:tempura
Dependent packages: 8Dependent repositories: 16
Downloads: 51,780 last month
Affected Version Ranges: < 0.4.0
Fixed in: 0.4.0
All affected versions: 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2
All unaffected versions: 0.4.0, 0.4.1