CVE-2022-25854

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/@yaireo/tagify

Identifiers

GHSA-pxpf-v376-7xx5, CVE-2022-25854

Package Slug

npm/@yaireo/tagify

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.

Affected Versions

All versions before 4.9.8

Solution

Upgrade to version 4.9.8 or above.

Last Modified

2022-05-03

source