GHSA-cg48-9hh2-x6mx

Source

https://github.com/advisories/GHSA-cg48-9hh2-x6mx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-cg48-9hh2-x6mx/GHSA-cg48-9hh2-x6mx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cg48-9hh2-x6mx

Published

2020-09-02T18:28:58Z

Modified

2021-09-27T20:53:56Z

Summary

HTML Injection in preact

Details

Versions of preact 10.x on prerelease tags alpha and beta prior to 10.0.0-beta.1 are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires user input parsed with JSON.parse() to be passed directly into JSX without sanitization.

Recommendation

Upgrade to version 10.0.0-beta.1.

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-74"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2020-08-31T18:37:35Z"
}

References

Affected packages

npm / preact

Package

Name: preact; View open source insights on deps.dev
Purl: pkg:npm/preact

Affected ranges

Type: SEMVER
Events: Introduced

10.0.0-alpha.0

Fixed

10.0.0-beta.1

Database specific

last_known_affected_version_range

"<= 10.0.0-beta.0"