Description
In Graylog before 2.4.6, XSS was possible in typeahead components, related to components/common/TypeAheadInput.jsx and components/search/QueryInput.ts.
Remediation
References
https://github.com/Graylog2/graylog2-server/pull/4904
https://www.graylog.org/post/announcing-the-release-of-graylog-2-4-6
Related Vulnerabilities
CVE-2019-18213 Vulnerability in maven package org.lsp4xml:org.eclipse.lsp4xml.extensions.web
CVE-2017-16006 Vulnerability in maven package org.webjars.bower:remarkable
CVE-2021-41165 Vulnerability in maven package org.webjars.bowergithub.ckeditor:ckeditor4
CVE-2020-27224 Vulnerability in npm package @theia/preview
CVE-2022-1295 Vulnerability in maven package org.webjars.bowergithub.alvarotrigo:fullpage.js