CVE-2023-38687

Name of the Vulnerable Software and Affected Versions Svelecte versions prior to 3.16.3

Description Svelecte item names are rendered as raw HTML with no escaping, allowing the injection of arbitrary HTML into the Svelecte dropdown. This can be exploited to execute arbitrary JavaScript whenever a Svelecte dropdown is opened. The actual impact of this issue for a specific application depends on how trustworthy the sources that provide Svelecte items are and the steps that the application has taken to mitigate XSS attacks. XSS attacks using this issue are mostly mitigated by a Content Security Policy that blocks inline JavaScript.

Recommendations To resolve the issue, upgrade to version 3.16.3 or later. For versions prior to 3.16.3, as a temporary workaround, consider escaping all special HTML characters in item names, for example, using document.createTextNode(). Restrict access to the Svelecte dropdown to minimize the risk of exploitation until a patch is applied. Avoid using the Svelecte component with dynamically created items from untrusted sources until the issue is resolved.