CVE-2022-25854 – @yaireo/tagify

Package

Manager: npm
Name: @yaireo/tagify
Vulnerable Version: >=0 <4.9.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00601 pctl0.68515

Details

tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the cross-site scripting (XSS) payload.

Metadata

Created: 2022-04-30T00:00:33Z
Modified: 2022-05-26T19:48:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-pxpf-v376-7xx5/GHSA-pxpf-v376-7xx5.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-pxpf-v376-7xx5
Finding: F008
Auto approve: 1