CVE-2016-10548

Name of the Vulnerable Software and Affected Versions reduce-css-calc versions <=1.2.4

Description Arbitrary code execution is possible through crafted CSS, making cross-site scripting (XSS) possible on the client and arbitrary code injection possible on the server. This occurs because user input is passed to the calc function, and affected versions of reduce-css-calc pass input directly to eval. If user input is passed into the calc function, this may result in cross-site scripting on the browser or remote code execution on the server.

Recommendations For versions <=1.2.4, update to version 1.2.5 or later. As a temporary workaround, consider restricting the use of the calc function to minimize the risk of exploitation. Avoid passing user input to the calc function until the issue is resolved.