Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdoNGctM2dtOS01d3Jx

Moderate EPSS: 0.00307% (0.53504 Percentile) EPSS:
Permalink JSON

Cross-Site Scripting in shave

Affected Packages Affected Versions Fixed Versions
npm:shave
PURL: pkg:npm/shave
< 2.5.3 2.5.3
28 Dependent packages
335 Dependent repositories
82,025 Downloads last month

Affected Version Ranges

All affected versions

0.0.7, 0.0.8, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 2.0.0, 2.0.2, 2.0.3, 2.0.4, 2.1.2, 2.1.3, 2.1.7, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.5.2

All unaffected versions

2.5.3, 2.5.4, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 3.0.0, 4.0.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0

Versions of shave prior to 2.5.3 are vulnerable to Cross-Site Scripting. The shave package overwrites HTML elements and in doing so fails to properly encode the output. If encoded HTML input is passed into shave the output will be decoded which may lead to Cross-Site Scripting.

Recommendation

Upgrade to version 2.5.3 or later.

References:

Identifiers

GHSA-gh4g-3gm9-5wrq

CVE-2019-12313

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00307

EPSS Percentile: 0.53504

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/dollarshaveclub/shave

Date and time

Published

over 6 years ago

Updated

almost 3 years ago

API

JSON