Cross-site Scripting in @spscommerce/ds-react
Critical severity
GitHub Reviewed
Published
Dec 15, 2023
to the GitHub Advisory Database
•
Updated Dec 15, 2023
Description
Published to the GitHub Advisory Database
Dec 15, 2023
Reviewed
Dec 15, 2023
Last updated
Dec 15, 2023
Impact
XSS, anyone using the SPS Select with options prop populated from user input is impacted. If these options are stored, then it could have been a stored XSS.
Patches
The code has been patched for version 7 of woodland. Users should upgrade to 7.17.4 or higher
Workarounds
This is not recommended. If you are not upgrading then you would need to sanitize your options yourself (including those currently stored in databases). This is not recommended.
References
https://github.com/SPSCommerce/woodland/blob/c49e999f97f3c0b56502859f4de1e8c6666dd74d/packages/ds-react/src/option-list/SpsOptionList.tsx#L559
References