This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.
References
Link | Resource |
---|---|
https://bsg.tech/blog/cve-2022-25854-stored-xss-in-yaireo-tagify-npm-module/ | Exploit Patch Third Party Advisory |
https://github.com/yairEO/tagify/commit/198c0451fad188390390395ccfc84ab371def4c7 | Patch Third Party Advisory |
https://github.com/yairEO/tagify/issues/988 | Exploit Issue Tracking Third Party Advisory |
https://github.com/yairEO/tagify/releases/tag/v4.9.8 | Release Notes Third Party Advisory |
https://snyk.io/vuln/SNYK-JS-YAIREOTAGIFY-2404358 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: snyk
Published: 2022-04-29T00:00:00
Updated: 2022-05-13T12:38:12
Reserved: 2022-02-24T00:00:00
Link: CVE-2022-25854
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-04-29T20:15:07.580
Modified: 2022-09-23T18:57:11.480
Link: CVE-2022-25854
JSON object: View
Redhat Information
No data.
CWE