Description

A cross-Site Scripting (XSS) vulnerability in this.showInvalid and this.showInvalidCountry in SmartyStreets liveAddressPlugin.js 3.2 allows remote attackers to inject arbitrary web script or HTML via any address parameter (e.g., street or country).

Remediation

References

https://github.com/smartystreets-archives

https://jsfiddle.net/smartystreets/Lx2dbsaa/

https://www.guidepointsecurity.com/liveaddressplugin-js-vulnerability-disclosure/

Related Vulnerabilities

CVE-2019-25102 Vulnerability in npm package simple-markdown

CVE-2021-32809 Vulnerability in maven package org.webjars.npm:ckeditor4

CVE-2018-8032 Vulnerability in maven package org.apache.axis:axis

CVE-2020-7707 Vulnerability in npm package property-expr

CVE-2023-25762 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-build-step

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory Exploit