CVE-2021-23784 — Cross-site Scripting in tempura

Description

This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.

How to fix CVE-2021-23784

To remediate CVE-2021-23784, upgrade the affected package to a fixed version below.

npm/tempura—upgrade to 0.4.0 or later

Is CVE-2021-23784 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.4.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23784
PATCHgithub.com/lukeed/tempura
WEBgithub.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9b
WEBgithub.com/lukeed/tempura/releases/tag/v0.4.0
WEB