CVE-2021-43785

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/@joeattardi/emoji-button

Identifiers

CVE-2021-43785, GHSA-f34m-x9pj-62vq

Package Slug

npm/@joeattardi/emoji-button

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. There are two vectors for XSS attacks, a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a script tag into the page and execute malicious code.

Affected Versions

All versions before 4.6.2

Solution

Upgrade to version 4.6.2 or above.

Last Modified

2021-12-01

source