CVE-2016-10744 — Improper Neutralization of Input During Web Page Generation in Select2

Description

In Select2 through 4.0.5, as used in Snipe-IT and other products, rich selectlists allow XSS. This affects use cases with Ajax remote data loading when HTML templates are used to display listbox data.

How to fix CVE-2016-10744

To remediate CVE-2016-10744, upgrade the affected package to a fixed version below.

npm/select2—upgrade to 4.0.6 or later

Is CVE-2016-10744 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.0.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10744
PATCHgithub.com/select2/select2
WEBgithub.com/select2/select2/issues/4587
WEBgithub.com/snipe/snipe-it/pull/6831
WEB