Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable to cross-site scripting, resulting in attacker executed JavaScript. At this time, no patch is available.
Metrics
Affected Vendors & Products
References
History
Wed, 13 Nov 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Slimselectjs
Slimselectjs slim Select |
|
CPEs | cpe:2.3:a:slimselectjs:slim_select:*:*:*:*:*:node.js:*:* | |
Vendors & Products |
Slimselectjs
Slimselectjs slim Select |
Wed, 02 Oct 2024 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Brian Voelker
Brian Voelker slim Select |
|
CPEs | cpe:2.3:a:brian_voelker:slim_select:*:*:*:*:*:*:*:* | |
Vendors & Products |
Brian Voelker
Brian Voelker slim Select |
|
Metrics |
ssvc
|
Wed, 02 Oct 2024 18:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable to cross-site scripting, resulting in attacker executed JavaScript. At this time, no patch is available. | |
Title | Slim Select 2.0 createOption "text" XSS | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: VulnCheck
Published: 2024-10-02T18:40:05.254Z
Updated: 2024-10-02T19:13:30.506Z
Reserved: 2024-10-02T17:45:54.918Z
Link: CVE-2024-9440
Vulnrichment
Updated: 2024-10-02T19:13:23.795Z
NVD
Status : Analyzed
Published: 2024-10-02T19:15:15.880
Modified: 2024-11-13T19:50:24.960
Link: CVE-2024-9440
Redhat
No data.