No analysis available yet.
No remediation available yet.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2025-30451 | Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect. Prior to version 3.3.2, the lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. This is technically indistinguishable from a real page at the rendering level and allows access to the parent page DOM, storage, session, and cookies. If the attacker can specify customIframeId, they can hijack the source of existing iframes. This issue has been patched in version 3.3.2. |
Github GHSA |
GHSA-vh3f-qppr-j97f | Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink |
Mon, 22 Sep 2025 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 22 Sep 2025 19:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect. Prior to version 3.3.2, the lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. This is technically indistinguishable from a real page at the rendering level and allows access to the parent page DOM, storage, session, and cookies. If the attacker can specify customIframeId, they can hijack the source of existing iframes. This issue has been patched in version 3.3.2. | |
| Title | Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink | |
| Weaknesses | CWE-79 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-09-22T19:43:47.837Z
Reserved: 2025-09-15T19:13:16.905Z
Link: CVE-2025-59430
Updated: 2025-09-22T19:43:32.996Z
Status : Deferred
Published: 2025-09-22T19:16:23.330
Modified: 2026-06-17T09:46:09.260
Link: CVE-2025-59430
No data.
OpenCVE Enrichment
No data.
-
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
EUVD
Github GHSA