CVE-2022-25929: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
(updated )
The package smoothie from 1.31.0 and before 1.36.1 is vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization in strokeStyle and tooltipLabel properties. Exploiting this vulnerability is possible when the user can control these properties.
References
- github.com/advisories/GHSA-g662-qq45-ppwm
- github.com/joewalnes/smoothie/commit/8e0920d50da82f4b6e605d56f41b69fbb9606a98
- github.com/joewalnes/smoothie/pull/147
- nvd.nist.gov/vuln/detail/CVE-2022-25929
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-3177369
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-3177368
- security.snyk.io/vuln/SNYK-JS-SMOOTHIE-3177364
Code Behaviors & Features
Detect and mitigate CVE-2022-25929 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →