CVE-2021-23784: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

November 3, 2021 (updated November 5, 2021)

This affects the package tempura If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.

References

github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9b
github.com/lukeed/tempura/releases/tag/v0.4.0
nvd.nist.gov/vuln/detail/CVE-2021-23784
snyk.io/vuln/SNYK-JS-TEMPURA-1569633

Detect and mitigate CVE-2021-23784 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →