WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2023-44270 Vulnerability in npm package postcss

Description

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

Remediation

References

https://github.com/github/advisory-database/issues/2820

https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25

https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5

https://github.com/postcss/postcss/releases/tag/8.4.31

Related Vulnerabilities

CVE-2022-25912 Vulnerability in maven package org.webjars.npm:simple-git

CVE-2023-22899 Vulnerability in maven package net.lingala.zip4j:zip4j

CVE-2023-25572 Vulnerability in maven package org.webjars.npm:react-admin

CVE-2023-44981 Vulnerability in maven package org.apache.zookeeper:zookeeper

CVE-2019-12041 Vulnerability in maven package org.webjars.bower:remarkable

Severity

Medium

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Issue Tracking Patch Release Notes