CVE-2019-13506 — Cross-Site Scripting in @nuxt/devalue

Description

Versions of `@nuxt/devalue` prior to 1.2.3 are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization attacker may inject arbitrary JavaScript code through object keys. ## Recommendation Upgrade to version 1.2.3 or later.

How to fix CVE-2019-13506

To remediate CVE-2019-13506, upgrade the affected package to a fixed version below.

—upgrade to 1.2.3 or later

Is CVE-2019-13506 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.2.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-13506
WEBgithub.com/nuxt/devalue/pull/8
WEBgithub.com/nuxt/devalue/releases/tag/v1.2.3
WEBgithub.com/nuxt/nuxt.js/commit/0d5dfe71917191c5b07f373896311f2d8f6b75be
WEB