Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdoNGctM2dtOS01d3Jx

Cross-Site Scripting in shave

Versions of shave prior to 2.5.3 are vulnerable to Cross-Site Scripting. The shave package overwrites HTML elements and in doing so fails to properly encode the output. If encoded HTML input is passed into shave the output will be decoded which may lead to Cross-Site Scripting.

Recommendation

Upgrade to version 2.5.3 or later.

Permalink: https://github.com/advisories/GHSA-gh4g-3gm9-5wrq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdoNGctM2dtOS01d3Jx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago


CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00073
EPSS Percentile: 0.32507

Identifiers: GHSA-gh4g-3gm9-5wrq, CVE-2019-12313
References: Repository: https://github.com/dollarshaveclub/shave
Blast Radius: 15.4

Affected Packages

npm:shave
Dependent packages: 28
Dependent repositories: 335
Downloads: 90,481 last month
Affected Version Ranges: < 2.5.3
Fixed in: 2.5.3
All affected versions: 0.0.7, 0.0.8, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 2.0.0, 2.0.2, 2.0.3, 2.0.4, 2.1.2, 2.1.3, 2.1.7, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.5.2
All unaffected versions: 2.5.3, 2.5.4, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 3.0.0, 4.0.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4