EIQ-2019-0023

ID	EIQ-2019-0023
CVE	-
Description	Cross-site scripting (XSS) vulnerability in webpack bundle analyzer
Date	29 Apr 2019
Severity	2 - MEDIUM
CVSSv3 score	CVSSv3 score not available on NIST NVD.
Status	✅ 2.5.0
Assessment	webpack bundle analyzer versions 3.3.1 and earlier is vulnerable to cross-site scripting (XSS). The JSON.stringify method can accept server-rendered HTML, but it does not properly escape input. An attacker could exploit improper input sanitization to inject malicious code, which JSON.stringify could pass with parameter functions such as chartData, enableWebSocket, or defaultSizes. Since the data is not validated correctly, it could bypass a web browser’s Same Origin Policy, and the web browser could execute malicious code on the client side.
Mitigation	Upgrade webpack bundle analyzer to version 3.3.2 or later.
Affected versions	2.4.0 and earlier.
Notes	For more information, see: npm security advisory about the vulnerability Snyk report about the vulnerability GitHub pull request with the bug fix, part 1 GitHub pull request with the bug fix, part 2