Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWd2cHgtOTQ1OS13M21q

Cross-Site Scripting in @ckeditor/ckeditor5-link

Versions of status-board prior to 10.0.1 are vulnerable to Cross-Site Scripting. The _createPreviewButton() function fails to sanitize the href attribute of a created <a> tag. This may allow attackers to execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 10.0.1 or later.

Permalink: https://github.com/advisories/GHSA-gvpx-9459-w3mj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWd2cHgtOTQ1OS13M21q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 6 years ago
Updated: over 1 year ago

CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-gvpx-9459-w3mj, CVE-2018-11093
References:

Repository: https://github.com/ckeditor/ckeditor5-link
Blast Radius: 22.0

Affected Packages

npm:@ckeditor/ckeditor5-link

Dependent packages: 2,791
Dependent repositories: 4,026
Downloads: 2,091,744 last month
Affected Version Ranges: >= 0.3.0, < 10.0.1
Fixed in: 10.0.1
All affected versions: 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0, 10.0.0
All unaffected versions: 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.1.0, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.1.1, 11.1.2, 15.0.0, 16.0.0, 17.0.0, 18.0.0, 19.0.0, 19.0.1, 20.0.0, 21.0.0, 22.0.0, 23.0.0, 23.1.0, 24.0.0, 25.0.0, 26.0.0, 27.0.0, 27.1.0, 28.0.0, 29.0.0, 29.1.0, 29.2.0, 30.0.0, 31.0.0, 31.1.0, 32.0.0, 33.0.0, 34.0.0, 34.1.0, 34.2.0, 35.0.0, 35.0.1, 35.1.0, 35.2.0, 35.2.1, 35.3.0, 35.3.1, 35.3.2, 35.4.0, 36.0.0, 36.0.1, 37.0.0, 37.0.1, 37.1.0, 38.0.0, 38.0.1, 38.1.0, 38.1.1, 39.0.0, 39.0.1, 39.0.2, 40.0.0, 40.1.0, 40.2.0, 41.0.0, 41.1.0, 41.2.0, 41.2.1, 41.3.0, 41.3.1, 41.3.2, 41.4.0, 41.4.1, 41.4.2, 42.0.0, 42.0.1, 42.0.2, 43.0.0, 43.1.0, 43.1.1, 43.2.0, 43.3.0, 43.3.1