Vulnerability Description
This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tempura Project | Tempura | < 0.4.0 |
Related Weaknesses (CWE)
References
- https://github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9PatchThird Party Advisory
- https://github.com/lukeed/tempura/releases/tag/v0.4.0Release NotesThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633ExploitMitigationPatch
- https://github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9PatchThird Party Advisory
- https://github.com/lukeed/tempura/releases/tag/v0.4.0Release NotesThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633ExploitMitigationPatch
FAQ
What is CVE-2021-23784?
CVE-2021-23784 is a vulnerability with a CVSS score of 5.4 (MEDIUM). This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scrip...
How severe is CVE-2021-23784?
CVE-2021-23784 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-23784?
Check the references section above for vendor advisories and patch information. Affected products include: Tempura Project Tempura.