CVE-2017-1000006

描述

Affected versions of `plotly.js` are vulnerable to cross-site scripting if an attacker can convince a user to visit a malicious plot on a site using this package. ## Recommendation Update to 1.16.0 or later.

如何修補 CVE-2017-1000006

要修補 CVE-2017-1000006,請將受影響套件升級到下列已修補版本。

• npm/plotly.js—升級至 1.16.0 或更新版本

CVE-2017-1000006 正在被利用嗎?

低 — EPSS 為 0.6%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 1.16.0

CVSS 分數

參考連結(5)

• ADVISORYgithub.com/advisories/GHSA-2fqv-h3r5-m4vf
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-1000006
• WEBhelp.plot.ly/security-advisories/2016-08-08-plotlyjs-xss-advisory
• WEBacloudtree.com/2016-08-09-how-i-hacked-plotly-by-exploiting-a-svg-vulnerability-in-plotlyjs