CVE-2018-1000160

Name of the Vulnerable Software and Affected Versions RisingStack protect versions 1.2.0 and earlier @risingstack/protect (all versions)

Description The issue concerns a Cross Site Scripting (XSS) vulnerability in the isXss() function, located in lib/rules/xss.js, which can result in dangerous XSS strings being validated as safe. This vulnerability can be exploited via a number of XSS strings, allowing attackers to execute arbitrary JavaScript in a victim's browser.

Recommendations For RisingStack protect versions 1.2.0 and earlier: At the moment, there is no information about a newer version that contains a fix for this vulnerability. For @risingstack/protect (all versions): Consider using an alternative package, as the current package is not actively maintained and will not be patched. As a temporary workaround, consider disabling the isXss() function until a patch is available or an alternative solution is implemented.