Advisories for Npm/@Finastra/Ssr-Pages package

2022

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ssr-pages is an HTML page builder for the purpose of server-side rendering (SSR). In versions prior to 0.1.5, a cross site scripting (XSS) issue can occur when providing untrusted input to the redirect.link property as an argument to the build(MessagePageOptions) function. While there is no known workaround at this time, there is a patch in version 0.1.5.

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ssr-pages is an HTML page builder for the purpose of server-side rendering (SSR). In versions prior to 0.1.4, a path traversal issue can occur when providing untrusted input to the svg property as an argument to the build(MessagePageOptions) function. While there is no known workaround at this time, there is a patch in version 0.1.4.