CVE-2021-43785, GHSA-f34m-x9pj-62vq
npm/@joeattardi/emoji-button
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. There are two vectors for XSS attacks, a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a script
tag into the page and execute malicious code.
All versions before 4.6.2
Upgrade to version 4.6.2 or above.
2021-12-01
source |