Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXIzeGMtNDdxZy1oOTI5
Cross-Site Scripting in @ionic/core
Versions of @ionic/core prior to 4.0.3, 4.1.3, 4.2.1 or 4.3.1 are vulnerable to Cross-Site Scripting (XSS). The package uses the unsafe innerHTML function without sanitizing input, which may allow attackers to execute arbitrary JavaScript on the victim's browser. This issue affects the components:
<ion-alert>.message<ion-searchbar>.placeholder<ion-infinite-scroll-content>.loadingText<ion-refresher-content>.pullingText<ion-refresher-content>.refershingText
Recommendation
- If you are using @ionic/core 4.0.x, upgrade to 4.0.3 or later.
- If you are using @ionic/core 4.1.x, upgrade to 4.1.3 or later.
- If you are using @ionic/core 4.2.x, upgrade to 4.2.1 or later.
- If you are using @ionic/core 4.3.x, upgrade to 4.3.1 or later.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXIzeGMtNDdxZy1oOTI5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: 11 months ago
Identifiers: GHSA-r3xc-47qg-h929
References:
- https://github.com/ionic-team/ionic/issues/18065
- https://www.npmjs.com/advisories/1023
- https://github.com/advisories/GHSA-r3xc-47qg-h929
Affected Packages
npm:@ionic/core
Versions: >= 4.3.0, < 4.3.1, >= 4.2.0, < 4.2.1, >= 4.1.0, < 4.1.3, < 4.0.3Fixed in: 4.3.1, 4.2.1, 4.1.3, 4.0.3