Skip to content

Cross-site Scripting in @spscommerce/ds-react

Critical severity GitHub Reviewed Published Dec 15, 2023 to the GitHub Advisory Database • Updated Dec 15, 2023

Package

npm @spscommerce/ds-react (npm)

Affected versions

>= 4.12.2, < 7.17.4

Patched versions

7.17.4

Description

Impact

XSS, anyone using the SPS Select with options prop populated from user input is impacted. If these options are stored, then it could have been a stored XSS.

Patches

The code has been patched for version 7 of woodland. Users should upgrade to 7.17.4 or higher

Workarounds

This is not recommended. If you are not upgrading then you would need to sanitize your options yourself (including those currently stored in databases). This is not recommended.

References

https://github.com/SPSCommerce/woodland/blob/c49e999f97f3c0b56502859f4de1e8c6666dd74d/packages/ds-react/src/option-list/SpsOptionList.tsx#L559

References

Published to the GitHub Advisory Database Dec 15, 2023
Reviewed Dec 15, 2023
Last updated Dec 15, 2023

Severity

Critical

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-cfxh-frx4-9gjg

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.