Description
A cross-Site Scripting (XSS) vulnerability in this.showInvalid and this.showInvalidCountry in SmartyStreets liveAddressPlugin.js 3.2 allows remote attackers to inject arbitrary web script or HTML via any address parameter (e.g., street or country).
Remediation
References
https://github.com/smartystreets-archives
https://jsfiddle.net/smartystreets/Lx2dbsaa/
https://www.guidepointsecurity.com/liveaddressplugin-js-vulnerability-disclosure/
Related Vulnerabilities
CVE-2022-39386 Vulnerability in npm package @fastify/websocket
CVE-2022-35961 Vulnerability in maven package org.webjars.npm:openzeppelin__contracts
CVE-2020-25649 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2019-10789 Vulnerability in npm package curling
CVE-2020-1938 Vulnerability in maven package org.apache.tomcat:tomcat-util