CVE-2021-23439 — Cross-site Scripting in file-upload-with-preview

Description

This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file).

How to fix CVE-2021-23439

To remediate CVE-2021-23439, upgrade the affected package to a fixed version below.

npm/file-upload-with-preview—upgrade to 4.2.0 or later

Is CVE-2021-23439 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23439
PATCHgithub.com/johndatserakis/file-upload-with-preview
WEBgithub.com/johndatserakis/file-upload-with-preview/blob/develop/src/file-upload-with-preview.js%23L168
WEB