Vulnerability Details CVE-2022-25929
The package smoothie from 1.31.0 and before 1.36.1 are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization in strokeStyle and tooltipLabel properties. Exploiting this vulnerability is possible when the user can control these properties.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 33.1%
CVSS Severity
CVSS v3 Score 5.4
References
- https://github.com/joewalnes/smoothie/commit/8e0920d50da82f4b6e605d56f41b69fbb9606a98
- https://github.com/joewalnes/smoothie/pull/147
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-3177369
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-3177368
- https://security.snyk.io/vuln/SNYK-JS-SMOOTHIE-3177364
- https://github.com/joewalnes/smoothie/commit/8e0920d50da82f4b6e605d56f41b69fbb9606a98
- https://github.com/joewalnes/smoothie/pull/147
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-3177369
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-3177368
- https://security.snyk.io/vuln/SNYK-JS-SMOOTHIE-3177364
Products affected by CVE-2022-25929
-
cpe:2.3:a:smoothiecharts:smoothie_charts:1.31.0
-
cpe:2.3:a:smoothiecharts:smoothie_charts:1.32.0
-
cpe:2.3:a:smoothiecharts:smoothie_charts:1.33.0
-
cpe:2.3:a:smoothiecharts:smoothie_charts:1.34.0
-
cpe:2.3:a:smoothiecharts:smoothie_charts:1.35.0