Fluid Attacks Database

Description

@claviska/jquery-minicolors vulnerable to Cross-site Scripting jQuery MiniColors is a color picker built on jQuery. Prior to version 2.3.6, jQuery MiniColors is prone to cross-site scripting when handling untrusted color names. This issue is patched in version 2.3.6.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	jquery-minicolors	>=0 <2.3.5+dfsg-4	2.3.5+dfsg-4
npm	@claviska/jquery-minicolors	>=0 <2.3.6	2.3.6
debian 11	jquery-minicolors	=2.2.6+dfsg-4 \|\| =2.3.5+dfsg-1 \|\| =2.3.5+dfsg-2 \|\| =2.3.5+dfsg-3 \|\| =2.3.5+dfsg-4 \|\| =2.3.6+dfsg-1	-
debian 12	jquery-minicolors	>=0 <2.3.5+dfsg-4	2.3.5+dfsg-4
debian 13	jquery-minicolors	>=0 <2.3.5+dfsg-4	2.3.5+dfsg-4

Aliases

1. CVE-2021-328502. NVD-2021-328503. OSV-DEBIAN-2021-328504. OSV-2021-328505. https://securitylab.github.com/advisories/GHSL-2021-1045_jQuery_MiniColors_Plugin6. GCVE-2021-328507. SECURITY-TRACKER-CVE-2021-32850

References

1. https://github.com/claviska/jquery-minicolors/commit/ef134824a7f4110ada53ea6c173111a4fa2f48f32. https://codepen.io/webbiesdk/pen/oNBQNNV3. https://github.com/claviska/jquery-minicolors/releases/tag/2.3.64. https://lists.fedoraproject.org/archives/list/[email protected]/message/MC5HV4ESLV2E23YGHNJ542QEZBH6YE2F5. https://lists.fedoraproject.org/archives/list/[email protected]/message/UDXBWA54A7D6HMR2TN5BAYNCU7HO2PUO