Snowbitx

Name of the Vulnerable Software and Affected Versions: Element Plus versions through 2.10.6 Description: The Element Plus Link component (el-link) does not sufficiently validate input for the `href` attribute, creating a security gap. This allows attackers to inject malicious URLs using dangerous protocols (such as `javascript:`, `data:`, and `file:`) or redirect users to malicious sites. This enables cross-site scripting (XSS) attacks, phishing campaigns, and open redirect exploits in applications using the component with user-controlled or untrusted URL inputs. Recommendations: Element Plus versions prior to 2.10.6 are affected. Ensure proper validation and sanitization of the `href` attribute before using it in the Link component. Implement security headers to mitigate potential risks associated with user-controlled URLs.