CVE-2022-1243

Name of the Vulnerable Software and Affected Versions medialize/uri.js versions prior to 1.19.11

Description The issue is related to CRHTLF, which can lead to invalid protocol extraction, potentially resulting in XSS. Specifically, characters such as r, , and t in user-input URLs can cause incorrect protocol extraction when using the npm package urijs. This can be exploited to bypass security measures intended to prevent malicious javascript links from being passed into HTML or JavaScript. For example, an attacker could use a URL like "jar vascript:alert(1)" to execute malicious JavaScript code.

Recommendations For versions prior to 1.19.11, update to version 1.19.11 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing user-input URLs to prevent malicious characters from being injected. Additionally, restrict the use of the urijs module to trusted input only, until the update can be applied.