Description

A cross-Site Scripting (XSS) vulnerability in this.showInvalid and this.showInvalidCountry in SmartyStreets liveAddressPlugin.js 3.2 allows remote attackers to inject arbitrary web script or HTML via any address parameter (e.g., street or country).

Remediation

References

https://github.com/smartystreets-archives

https://jsfiddle.net/smartystreets/Lx2dbsaa/

https://www.guidepointsecurity.com/liveaddressplugin-js-vulnerability-disclosure/

Related Vulnerabilities

CVE-2019-19771 Vulnerability in npm package hw-trnasport-u2f

CVE-2017-16113 Vulnerability in maven package org.webjars.npm:parsejson

CVE-2013-4590 Vulnerability in maven package org.apache.tomcat:jasper

CVE-2022-36046 Vulnerability in npm package next

CVE-2018-12541 Vulnerability in maven package io.vertx:vertx-core

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory Exploit