PT-2021-23931 · Unknown · @Joeattardi/Emoji-Button

Erik Krogh Kristensen

Published

2021-11-26

Updated

2021-12-01

CVE-2021-43785

CVSS v3.1

7.6

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Name of the Vulnerable Software and Affected Versions: @joeattardi/emoji-button versions prior to 4.6.2

Description: The issue concerns two vectors for XSS attacks: a URL for a custom emoji and an i18n string. In both cases, a crafted value can insert a script tag into the page and execute malicious code.

Recommendations: For versions prior to 4.6.2, upgrade to version 4.6.2 or later, which properly escapes strings inserted into the HTML document to resolve the issue.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-43785

GHSA-F34M-X9PJ-62VQ

Affected Products

@Joeattardi/Emoji-Button

PT-2021-23931 · Unknown · @Joeattardi/Emoji-Button

CVE-2021-43785

Weakness Enumeration

Related Identifiers

Affected Products

References · 7