CVE-2023-46729: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
sentry-javascript provides Sentry SDKs for JavaScript. An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This issue only affects users who have Next.js SDK tunneling feature enabled. The problem has been fixed in version 7.77.0.
References
- blog.sentry.io/next-js-sdk-security-advisory-cve-2023-46729/
- docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/
- github.com/advisories/GHSA-2rmr-xw8m-22q9
- github.com/getsentry/sentry-javascript/commit/ddbda3c02c35aba8c5235e0cf07fc5bf656f81be
- github.com/getsentry/sentry-javascript/pull/9415
- github.com/getsentry/sentry-javascript/security/advisories/GHSA-2rmr-xw8m-22q9
- www.npmjs.com/package/@sentry/nextjs/v/7.77.0
Code Behaviors & Features
Detect and mitigate CVE-2023-46729 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →