Search criteria
1 vulnerability by tempura_project
CVE-2021-23784 (GCVE-0-2021-23784)
Vulnerability from cvelistv5 – Published: 2021-11-03 17:20 – Updated: 2024-09-17 01:45
VLAI
Title
Cross-site Scripting (XSS)
Summary
This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.
Severity
5.4 (Medium)
CWE
- Cross-site Scripting (XSS)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633 | x_refsource_MISC |
| https://github.com/lukeed/tempura/commit/58a5c367… | x_refsource_MISC |
| https://github.com/lukeed/tempura/releases/tag/v0.4.0 | x_refsource_MISC |
Impacted products
Date Public
2021-11-03 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:14:09.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lukeed/tempura/releases/tag/v0.4.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tempura",
"vendor": "n/a",
"versions": [
{
"lessThan": "0.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alessio Della Libera of Snyk Research Team"
}
],
"datePublic": "2021-11-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 5.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-03T17:20:42.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lukeed/tempura/releases/tag/v0.4.0"
}
],
"title": "Cross-site Scripting (XSS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-11-03T17:16:43.033351Z",
"ID": "CVE-2021-23784",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tempura",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.4.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Alessio Della Libera of Snyk Research Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633"
},
{
"name": "https://github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9b",
"refsource": "MISC",
"url": "https://github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9b"
},
{
"name": "https://github.com/lukeed/tempura/releases/tag/v0.4.0",
"refsource": "MISC",
"url": "https://github.com/lukeed/tempura/releases/tag/v0.4.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2021-23784",
"datePublished": "2021-11-03T17:20:42.450Z",
"dateReserved": "2021-01-08T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:45:32.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}