CVE-2022-25349

Name of the Vulnerable Software and Affected Versions materialize-css versions (all versions)

Description The issue arises from improper escape of user input, such as <not-a-tag />, which is then parsed as HTML/JavaScript and inserted into the Document Object Model (DOM). This can lead to Cross-site Scripting (XSS) when user-input is provided to the autocomplete component.

Recommendations For all versions, consider disabling the autocomplete component until a proper fix is implemented to escape user input correctly. Restrict the parsing of user-input as HTML/JavaScript to minimize the risk of exploitation.