CVE-2024-9440

Name of the Vulnerable Software and Affected Versions Slim Select versions 2.0 through 2.9.0

Description The issue is a potential cross-site scripting vulnerability. In the createOption() function, the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. This may allow attackers to execute JavaScript, resulting in cross-site scripting. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable.

Recommendations For Slim Select versions 2.0 through 2.9.0, consider updating to version 2.9.2, which includes a fix for this issue. For versions prior to 2.9.2, as a temporary workaround, consider sanitizing the text variable from the user-provided Options object before assigning it to an innerHTML to prevent cross-site scripting. Restrict access to the createOption() function in select.ts to minimize the risk of exploitation until a patch is applied.