PT-2020-21477 — XSS in Ionic @Ionic/Core

PT-2020-21477 · Ionic · @Ionic/Core

Published

2020-09-03

Updated

2020-09-03

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions @ionic/core versions prior to 4.0.3 @ionic/core versions prior to 4.1.3 @ionic/core versions prior to 4.2.1 @ionic/core versions prior to 4.3.1

Description The issue affects @ionic/core, where the package uses the unsafe innerHTML function without sanitizing input. This may allow attackers to execute arbitrary JavaScript on the victim's browser. The components affected include <ion-alert>.message, <ion-searchbar>.placeholder, <ion-infinite-scroll-content>.loadingText, <ion-refresher-content>.pullingText, and <ion-refresher-content>.refershingText.

Recommendations

If you are using @ionic/core 4.0.x, upgrade to 4.0.3 or later.
If you are using @ionic/core 4.1.x, upgrade to 4.1.3 or later.
If you are using @ionic/core 4.2.x, upgrade to 4.2.1 or later.
If you are using @ionic/core 4.3.x, upgrade to 4.3.1 or later.

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

GHSA-R3XC-47QG-H929

Affected Products

@Ionic/Core

PT-2020-21477 · Ionic · @Ionic/Core

Weakness Enumeration

Related Identifiers

Affected Products

References · 4