CVE-2022-25873 vuetify is vulnerable to XSS due to improper input sanitization in the 'eventName' function of VCalendar.
An attacker can inject malicious code into the application via a crafted input parameter, causing the application to run that code. This can lead to a wide variety of cross-site scripting issues, such as information leak or session stealing. This can be exploited by malicious persons to conduct a variety of attacks.
To verify the version of vuetify package on your system, run the following command.
pip show vuetify --version 1.2.0
To upgrade vuetify package on your system, run the following command.
pip install -- upgrade vuetify -- upgrade 2.6 . 10 -- version 2.6 . 10
Red Hat Enterprise Linux 6 users are advised to upgrade vuetify package as soon as possible due to the severity of the issue. As an immediate work-around, you can edit the 'vue-xd/src/calendar/event.js' file and change the following line of code to 'false'.
Red Hat Enterprise Linux 7 users are advised to upgrade vuetify package as soon as possible due to the severity of the issue. As an immediate work-around, you can edit the 'vue-xd/src/calendar/event.js' file and change the following line of code to 'false'.
References a blog post about a potential security issue for vuetify package
The blog post is about a potential security issue for vuetify package. It mentions how to verify the version of vuetify package on your system, and how to upgrade vuetify package on your system.
Timeline
Published on: 09/18/2022 15:15:00 UTC
Last modified on: 09/21/2022 12:49:00 UTC
References
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3024406
- https://security.snyk.io/vuln/SNYK-JS-VUETIFY-3019858
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVUETIFYJS-3024407
- https://codepen.io/5v3n-08/pen/MWGKEjY
- https://github.com/vuetifyjs/vuetify/issues/15757
- https://github.com/vuetifyjs/vuetify/commit/ade1434927f55a0eccf3d54f900f24c5fa85a176
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25873