CVE-2021-43785
Cross-Site Scripting Vulnerability in @joeattardi/emoji-button
描述
### Impact There are two vectors for XSS attacks with versions of @joeattardi/emoji-button before 4.6.2: - A URL for a custom emoji - An i18n string In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious code. ### Patches This vulnerability is fixed starting in version 4.6.2. This is resolved by properly escaping strings that are inserted into the HTML document. ### Workarounds There is no workaround other than upgrading to a non-vulnerable version. ### Credit This issue was discovered by GitHub team member [@erik-krogh (Erik Krogh Kristensen)](https://github.com/erik-krogh) and was reported by the GitHub Security Lab team.
如何修補 CVE-2021-43785
要修補 CVE-2021-43785,請將受影響套件升級到下列已修補版本。
- —升級至 4.6.2 或更新版本
CVE-2021-43785 正在被利用嗎?
低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 4.6.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L |