[Pkg-javascript-devel] Bug#1014727: materialize: CVE-2022-25349
Moritz Mühlenhoff
jmm at inutil.org
Sun Jul 10 22:35:18 BST 2022
Source: materialize
X-Debbugs-CC: team at security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerability was published for materialize.
CVE-2022-25349[0]:
| All versions of package materialize-css are vulnerable to Cross-site
| Scripting (XSS) due to improper escape of user input (such as
| <not-a-tag />) that is being parsed as HTML/JavaScript,
| and inserted into the Document Object Model (DOM). This vulnerability
| can be exploited when the user-input is provided to the autocomplete
| component.
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2766498
https://security.snyk.io/vuln/SNYK-JS-MATERIALIZECSS-2324800
https://github.com/materializecss/materialize/blob/main/js/autocomplete.js#L310
https://github.com/Dogfalo/materialize/blob/v1-dev/js/autocomplete.js#L285
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-25349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25349
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-javascript-devel
mailing list