Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable to cross-site scripting, resulting in attacker executed JavaScript. At this time, no patch is available.
History

Wed, 13 Nov 2024 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Slimselectjs
Slimselectjs slim Select
CPEs cpe:2.3:a:slimselectjs:slim_select:*:*:*:*:*:node.js:*:*
Vendors & Products Slimselectjs
Slimselectjs slim Select

Wed, 02 Oct 2024 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Brian Voelker
Brian Voelker slim Select
CPEs cpe:2.3:a:brian_voelker:slim_select:*:*:*:*:*:*:*:*
Vendors & Products Brian Voelker
Brian Voelker slim Select
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 02 Oct 2024 18:45:00 +0000

Type Values Removed Values Added
Description Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable to cross-site scripting, resulting in attacker executed JavaScript. At this time, no patch is available.
Title Slim Select 2.0 createOption "text" XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2024-10-02T18:40:05.254Z

Updated: 2024-10-02T19:13:30.506Z

Reserved: 2024-10-02T17:45:54.918Z

Link: CVE-2024-9440

cve-icon Vulnrichment

Updated: 2024-10-02T19:13:23.795Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-02T19:15:15.880

Modified: 2024-11-13T19:50:24.960

Link: CVE-2024-9440

cve-icon Redhat

No data.