5.4

CVE-2022-25873

Exploit

Cross-site Scripting (XSS)

The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VuetifyjsVuetify Version >= 2.0.1 < 2.6.10
VuetifyjsVuetify Version2.0.0 Updatebeta4
VuetifyjsVuetify Version2.0.0 Updatebeta5
VuetifyjsVuetify Version2.0.0 Updatebeta6
VuetifyjsVuetify Version2.0.0 Updatebeta7
VuetifyjsVuetify Version2.0.0 Updatebeta8
VuetifyjsVuetify Version2.0.0 Updatebeta9
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.64% 0.459
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
report@snyk.io 4.6 2.1 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://codepen.io/5v3n-08/pen/MWGKEjY
Third Party Advisory
Exploit
https://github.com/vuetifyjs/vuetify/commit/ade1434927f55a0eccf3d54f900f24c5fa85a176
Patch
Third Party Advisory
https://github.com/vuetifyjs/vuetify/issues/15757
Third Party Advisory
Issue Tracking
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVUETIFYJS-3024407
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3024406
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-VUETIFY-3019858
Third Party Advisory