CVE-2022-25854: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

April 30, 2022 (updated May 3, 2022)

This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.

References

github.com/advisories/GHSA-pxpf-v376-7xx5
github.com/yairEO/tagify/commit/198c0451fad188390390395ccfc84ab371def4c7
github.com/yairEO/tagify/issues/988
github.com/yairEO/tagify/releases/tag/v4.9.8
nvd.nist.gov/vuln/detail/CVE-2022-25854
snyk.io/vuln/SNYK-JS-YAIREOTAGIFY-2404358

Code Behaviors & Features

Detect and mitigate CVE-2022-25854 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →