Vulnerability Description
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious code.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Emoji Button Project | Emoji Button | < 4.6.2 |
Related Weaknesses (CWE)
References
- https://github.com/joeattardi/emoji-button/commit/05970c09180cd27fff493e998ac5bfPatchThird Party Advisory
- https://github.com/joeattardi/emoji-button/commit/fe54bef107eb3f74873a4018f2ff49PatchThird Party Advisory
- https://github.com/joeattardi/emoji-button/security/advisories/GHSA-f34m-x9pj-62Third Party Advisory
- https://github.com/joeattardi/emoji-button/commit/05970c09180cd27fff493e998ac5bfPatchThird Party Advisory
- https://github.com/joeattardi/emoji-button/commit/fe54bef107eb3f74873a4018f2ff49PatchThird Party Advisory
- https://github.com/joeattardi/emoji-button/security/advisories/GHSA-f34m-x9pj-62Third Party Advisory
FAQ
What is CVE-2021-43785?
CVE-2021-43785 is a vulnerability with a CVSS score of 7.6 (HIGH). @joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these case...
How severe is CVE-2021-43785?
CVE-2021-43785 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-43785?
Check the references section above for vendor advisories and patch information. Affected products include: Emoji Button Project Emoji Button.