CVE-2021-23784 – tempura

Package

Manager: npm
Name: tempura
Vulnerable Version: >=0 <0.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00326 pctl0.54948

Details

Cross-site Scripting in tempura This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.

Metadata

Created: 2021-11-08T17:50:10Z
Modified: 2021-11-08T17:49:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-w4v7-hwx7-9929/GHSA-w4v7-hwx7-9929.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-w4v7-hwx7-9929
Finding: F425
Auto approve: 1