PT-2020-19677 · Github · Lazysizes

Published

2020-04-22

Updated

2021-12-10

CVE-2020-7642

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions lazysizes versions through 5.2.0

Description The issue allows execution of malicious JavaScript. The video-embed plugin does not sanitize the following attributes: data-vimeo, data-vimeoparams, data-youtube, and data-ytparams, which can be abused to inject malicious JavaScript.

Recommendations For versions through 5.2.0, consider disabling the video-embed plugin until a patch is available to prevent the injection of malicious JavaScript. Restrict access to the attributes data-vimeo, data-vimeoparams, data-youtube, and data-ytparams to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-7642

GHSA-HG2P-2CVQ-4PPV

SNYK-JS-LAZYSIZES-567144

Affected Products

Lazysizes

PT-2020-19677 · Github · Lazysizes

CVE-2020-7642

Weakness Enumeration

Related Identifiers

Affected Products

References · 5