GMS-2020-745: Cross-Site Scripting in lazysizes

September 3, 2020 (updated October 4, 2021)

Versions of lazysizes prior to 5.2.1-rc1 are vulnerable to Cross-Site Scripting. The video-embed plugin fails to sanitize the following attributes: data-vimeo, data-vimeoparams, data-youtube and data-ytparams. This allows attackers to execute arbitrary JavaScript in a victim’s browser if the attacker has control over the vulnerable attributes.

Recommendation

Upgrade to version 5.2.1-rc1 or later.

References

github.com/aFarkas/lazysizes/issues/764
github.com/advisories/GHSA-w4vp-3mq7-7v82
www.npmjs.com/advisories/1493

Detect and mitigate GMS-2020-745 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →