CVE-2022-25873: vueitify Cross-Site Scripting Vulnerability Advisory

Key Information Vulnerability Type: Cross-site Scripting (XSS) Affected Package: org.webjars.npm:vueitify Affected Versions: [2.6.11] Vulnerability ID: CVE-2022-25873, CWE-79 Severity: Medium (4.6) Date Introduced: September 9, 2022 Remediation: Upgrade org.webjars.npm:vueitify to version 2.6.11 or higher. Threat Intelligence Exploit Maturity: Proof-of-Concept available EPSS: 0.53% (67th percentile) Vulnerability Details org.webjars.npm:vueitify is a Material Design component framework designed for Vue.js. Affected versions are vulnerable to Cross-site Scripting (XSS) due to improper input handling in the 'eventName' function of the VCalendar component. XSS is a code vulnerability where attackers can inject malicious scripts to target users' browsers. Attack Types Stored: Malicious code is injected server-side and activated each time a user clicks the affected link. Reflected: Attackers pass a malicious link to users; upon clicking, the malicious code is sent to the vulnerable site and reflected back to the user’s browser. DOM-based: Attackers force the user’s browser to render a malicious page. Variant Attacks: Attackers inject code that appears safe but is interpreted and modified by the browser. Affected Environments Web servers, application servers, web application environments. Mitigation Measures Sanitize data in HTTP requests, escape special characters, and provide users with options to disable client-side scripts. References [Codepen PoC] [GitHub Commit] [GitHub Issue] CVSS Base Score Snyk: 4.6 (Medium) NVD: 5.4 (Medium)

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2022-25873: vueitify Cross-Site Scripting Vulnerability Advisory