Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oeDRoLTY3NnItajNxcM4AA0ub
layui vulnerable to cross-site scripting
A vulnerability, which was classified as problematic, was found in layui up to v2.8.0-rc.16. This affects an unknown part of the component HTML Attribute Handler. The manipulation of the argument title leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.8.0 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-234237 was assigned to this vulnerability.
Permalink: https://github.com/advisories/GHSA-hx4h-676r-j3qpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oeDRoLTY3NnItajNxcM4AA0ub
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 6 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-hx4h-676r-j3qp, CVE-2023-3691
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-3691
- https://gitee.com/layui/layui/issues/I7HDXZ
- https://gitee.com/layui/layui/tree/v2.8.0
- https://vuldb.com/?ctiid.234237
- https://vuldb.com/?id.234237
- https://github.com/advisories/GHSA-hx4h-676r-j3qp
Affected Packages
npm:layui
Dependent packages: 17Dependent repositories: 34
Downloads: 79,200 last month
Affected Version Ranges: < 2.8.0
Fixed in: 2.8.0
All affected versions: 0.0.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6
All unaffected versions: 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.8.12, 2.8.13, 2.8.14, 2.8.15, 2.8.16, 2.8.17, 2.8.18, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8