CVE-2021-43785

Description

### Impact There are two vectors for XSS attacks with versions of @joeattardi/emoji-button before 4.6.2: - A URL for a custom emoji - An i18n string In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious code. ### Patches This vulnerability is fixed starting in version 4.6.2. This is resolved by properly escaping strings that are inserted into the HTML document. ### Workarounds There is no workaround other than upgrading to a non-vulnerable version. ### Credit This issue was discovered by GitHub team member [@erik-krogh (Erik Krogh Kristensen)](https://github.com/erik-krogh) and was reported by the GitHub Security Lab team.

How to fix CVE-2021-43785

To remediate CVE-2021-43785, upgrade the affected package to a fixed version below.

• —upgrade to 4.6.2 or later

Is CVE-2021-43785 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 4.6.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-43785
• PATCHgithub.com/joeattardi/emoji-button
• WEBgithub.com/joeattardi/emoji-button/commit/05970c09180cd27fff493e998ac5bf0468b1bb16
• WEBgithub.com/joeattardi/emoji-button/commit/fe54bef107eb3f74873a4018f2ff49fa124c6a2e