PT-2021-11538 · Npm · @Scullyio/Scully

Published

2021-01-14

Updated

2021-07-21

CVE-2020-28470

CVSS v3.1

7.3

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions: @scullyio/scully versions prior to 1.0.9

Description: The issue affects the package @scullyio/scully. It involves the serialization of the transfer state using the JSON.stringify() function, which is then written into the HTML page.

Recommendations: For versions prior to 1.0.9, update to version 1.0.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of the JSON.stringify() function for serializing the transfer state until a patch is applied.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-28470

GHSA-R96P-V3CR-GFV8

SNYK-JS-SCULLYIOSCULLY-1055829

Affected Products

@Scullyio/Scully

PT-2021-11538 · Npm · @Scullyio/Scully

CVE-2020-28470

Weakness Enumeration

Related Identifiers

Affected Products

References · 8