Description
lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript.
Remediation
References
https://github.com/aFarkas/lazysizes/commit/3720ab8262552d4e063a38d8492f9490a231fd48
https://snyk.io/vuln/SNYK-JS-LAZYSIZES-567144
Related Vulnerabilities
CVE-2023-28867 Vulnerability in maven package com.graphql-java:graphql-java
CVE-2021-21266 Vulnerability in maven package org.openhab.addons.bundles:org.openhab.binding.ihc
CVE-2021-23472 Vulnerability in npm package bootstrap-table
CVE-2023-31582 Vulnerability in maven package org.bitbucket.b_c:jose4j
CVE-2022-29252 Vulnerability in maven package org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki