Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jZnhoLWZyeDQtOWdqZ84AA3yd

Cross-site Scripting in @spscommerce/ds-react

Impact

XSS, anyone using the SPS Select with options prop populated from user input is impacted. If these options are stored, then it could have been a stored XSS.

Patches

The code has been patched for version 7 of woodland. Users should upgrade to 7.17.4 or higher

Workarounds

This is not recommended. If you are not upgrading then you would need to sanitize your options yourself (including those currently stored in databases). This is not recommended.

References

https://github.com/SPSCommerce/woodland/blob/c49e999f97f3c0b56502859f4de1e8c6666dd74d/packages/ds-react/src/option-list/SpsOptionList.tsx#L559

Permalink: https://github.com/advisories/GHSA-cfxh-frx4-9gjg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZnhoLWZyeDQtOWdqZ84AA3yd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 12 months ago
Updated: 12 months ago

Identifiers: GHSA-cfxh-frx4-9gjg
References:

Repository: https://github.com/SPSCommerce/woodland
Blast Radius: 0.0

Affected Packages

npm:@spscommerce/ds-react

Dependent packages: 13
Dependent repositories: 1
Downloads: 6,665 last month
Affected Version Ranges: >= 4.12.2, < 7.17.4
Fixed in: 7.17.4
All affected versions: 4.13.1, 4.14.0, 4.15.0, 4.15.1, 4.16.0, 4.17.0, 4.18.0, 4.18.1, 4.19.0, 4.19.1, 4.20.0, 4.20.1, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.24.1, 4.24.2, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.29.1, 4.29.2, 4.30.0, 4.30.1, 4.31.0, 4.32.0, 4.32.1, 4.33.0, 4.33.1, 4.34.0, 4.34.1, 4.34.2, 4.35.0, 4.36.0, 4.36.1, 4.36.2, 4.36.3, 4.36.4, 4.37.0, 4.37.1, 4.37.2, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.3.0, 5.4.0, 5.4.1, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.8.1, 5.9.0, 5.10.0, 5.10.1, 5.10.2, 5.10.3, 5.10.4, 5.10.5, 5.10.6, 5.11.0, 5.11.1, 5.12.0, 5.12.1, 5.12.2, 5.12.3, 5.12.4, 5.13.0, 5.13.1, 5.13.2, 5.14.0, 5.14.1, 5.14.2, 5.14.3, 5.15.0, 5.16.0, 5.16.1, 5.17.0, 5.18.0, 5.18.1, 5.18.2, 5.18.3, 5.19.0, 5.20.0, 5.20.1, 5.20.2, 5.20.3, 5.20.4, 5.20.5, 5.20.6, 5.21.0, 5.21.1, 5.21.2, 5.21.3, 5.21.4, 5.21.5, 5.22.0, 5.23.0, 5.23.1, 5.23.2, 5.24.0, 5.25.0, 5.26.0, 5.26.1, 5.27.0, 5.28.0, 5.28.1, 5.29.0, 5.29.1, 5.30.0, 5.31.0, 5.32.0, 5.32.1, 5.32.2, 5.32.3, 5.32.4, 5.32.5, 5.32.6, 5.33.0, 5.33.1, 5.33.2, 5.33.3, 5.33.4, 5.33.5, 5.33.6, 5.33.7, 5.33.8, 5.33.9, 5.33.10, 5.33.11, 5.33.12, 5.33.13, 6.0.0, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.6.2, 6.7.0, 6.8.0, 6.9.0, 6.10.0, 6.10.1, 6.10.2, 6.11.0, 6.11.1, 6.11.2, 6.11.3, 6.11.4, 6.12.0, 6.12.1, 6.13.0, 6.13.1, 6.14.0, 6.14.1, 6.15.0, 6.16.0, 6.17.0, 6.17.1, 6.17.2, 6.18.0, 6.18.1, 6.18.2, 6.18.3, 6.19.0, 6.19.1, 6.20.0, 6.20.1, 6.20.2, 6.20.3, 6.20.4, 6.20.5, 6.21.0, 6.21.1, 6.21.2, 6.22.0, 6.23.0, 6.23.1, 6.24.0, 6.25.0, 6.26.0, 6.26.1, 6.27.0, 6.28.0, 6.29.0, 6.29.1, 6.29.2, 6.30.0, 6.30.1, 6.30.2, 6.31.0, 6.31.1, 6.31.2, 6.31.3, 6.31.4, 6.31.5, 6.32.0, 6.32.1, 6.32.2, 6.32.3, 6.33.0, 6.33.1, 6.33.2, 6.34.0, 6.34.1, 6.34.2, 6.35.0, 6.35.1, 6.35.2, 6.35.3, 6.35.4, 6.35.5, 6.36.0, 6.36.1, 6.36.2, 6.36.3, 6.36.4, 6.36.5, 6.37.0, 6.37.1, 6.37.2, 6.37.3, 6.37.4, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.4.5, 7.4.6, 7.4.7, 7.4.8, 7.4.9, 7.4.10, 7.4.11, 7.4.12, 7.4.13, 7.4.14, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.6.4, 7.6.5, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 7.7.5, 7.8.0, 7.9.0, 7.9.1, 7.10.0, 7.10.1, 7.10.2, 7.10.3, 7.10.4, 7.10.5, 7.10.6, 7.10.7, 7.10.8, 7.11.0, 7.11.1, 7.11.2, 7.11.3, 7.12.0, 7.12.1, 7.12.2, 7.12.3, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.15.1, 7.16.0, 7.16.1, 7.16.2, 7.16.3, 7.16.4, 7.16.5, 7.16.6, 7.16.7, 7.16.8, 7.16.9, 7.17.0, 7.17.1, 7.17.2, 7.17.3
All unaffected versions: 0.1.0, 0.161.6, 0.161.7, 0.162.0, 0.162.1, 0.163.0, 0.164.0, 0.164.1, 0.165.0, 0.165.1, 0.165.2, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.9.0, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 2.11.1, 2.12.0, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.14.4, 2.14.5, 2.14.6, 2.15.0, 2.15.1, 2.15.3, 2.15.4, 2.15.5, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.17.4, 2.17.5, 2.18.0, 2.18.1, 2.19.0, 2.20.0, 2.20.1, 2.20.2, 2.21.0, 2.22.0, 2.23.0, 2.23.1, 2.23.2, 2.24.0, 2.24.1, 2.24.2, 2.24.3, 2.25.0, 2.25.1, 2.25.2, 2.26.0, 2.26.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.6.0, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.11.0, 3.11.1, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.15.2, 3.15.3, 3.15.4, 3.16.0, 3.16.1, 3.16.2, 3.16.3, 3.16.5, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.10.0, 4.10.1, 4.11.0, 7.17.4, 7.17.5, 7.17.6, 7.17.7, 7.17.8, 7.17.9, 7.17.10, 7.17.11, 7.17.12, 7.17.13, 7.17.14, 7.17.15, 7.18.0, 7.19.0, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.2.0, 8.2.1, 8.2.2, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.4.6, 8.4.7, 8.4.8, 8.4.9, 8.4.10, 8.5.0, 8.5.1, 8.6.0, 8.7.0, 8.7.1, 8.7.2, 8.7.3, 8.7.4, 8.7.5, 8.7.6, 8.7.7, 8.8.0, 8.8.1, 8.8.2, 8.8.3, 8.8.4, 8.8.5, 8.8.6, 8.8.7, 8.8.8, 8.8.9, 8.9.0, 8.10.0, 8.10.1, 8.10.2, 8.10.3, 8.10.4, 8.11.0, 8.11.1, 8.11.2, 8.12.0, 8.12.1, 8.12.2, 8.12.3, 8.12.4, 8.13.0, 8.13.1, 8.14.0, 8.14.1, 8.14.2, 8.15.0, 8.15.1, 8.16.0, 8.16.1, 8.17.0, 8.17.1, 8.17.2, 8.18.0, 8.19.0, 8.19.1, 8.19.2, 8.19.3, 8.19.4, 8.19.5, 8.19.6, 8.19.7, 8.19.8, 8.19.9, 8.19.10, 8.19.11, 8.19.12, 8.20.0, 8.20.1, 8.20.2, 8.20.3, 8.20.4, 8.20.5, 8.20.6, 8.20.7, 8.20.8, 8.20.9, 8.20.10, 8.20.11, 8.20.12, 8.20.13, 8.20.14, 8.20.15, 8.20.16, 8.20.17, 8.21.0, 8.21.1, 8.21.2, 8.21.3, 8.21.4, 8.21.5, 8.22.0, 8.22.1, 8.23.0