CVE-2021-23439 — Cross-site Scripting in file-upload-with-preview

描述

This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file).

如何修補 CVE-2021-23439

要修補 CVE-2021-23439,請將受影響套件升級到下列已修補版本。

npm/file-upload-with-preview—升級至 4.2.0 或更新版本

CVE-2021-23439 正在被利用嗎?

低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 4.2.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23439
PATCHgithub.com/johndatserakis/file-upload-with-preview
WEBgithub.com/johndatserakis/file-upload-with-preview/blob/develop/src/file-upload-with-preview.js%23L168
WEB