Description

XSS in buttle npm package version 0.2.0 causes execution of attacker-provided code in the victim's browser when an attacker creates an arbitrary file on the server.

Remediation

References

https://hackerone.com/reports/331110

Related Vulnerabilities

CVE-2022-40705 Vulnerability in maven package soap:soap

CVE-2017-16084 Vulnerability in npm package list-n-stream

CVE-2017-15719 Vulnerability in maven package com.googlecode.wicket-jquery-ui:wicket-kendo-ui

CVE-2018-1000665 Vulnerability in maven package org.webjars:dojo

CVE-2019-18212 Vulnerability in maven package org.lsp4xml:org.eclipse.lsp4xml.extensions.web

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory